Commit eb571eea authored by Joe Lawrence's avatar Joe Lawrence Committed by Jens Axboe

block,scsi: verify return pointer from blk_get_request

The blk-core dead queue checks introduce an error scenario to
blk_get_request that returns NULL if the request queue has been
shutdown. This affects the behavior for __GFP_WAIT callers, who should
verify the return value before dereferencing.
Signed-off-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
Acked-by: Jiri Kosina <jkosina@suse.cz> [for pktdvd]
Reviewed-by: default avatarJeff Moyer <jmoyer@redhat.com>
Signed-off-by: default avatarJens Axboe <axboe@fb.com>
parent 52addcf9
...@@ -448,6 +448,10 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, ...@@ -448,6 +448,10 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
} }
rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT); rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT);
if (!rq) {
err = -ENODEV;
goto error_free_buffer;
}
cmdlen = COMMAND_SIZE(opcode); cmdlen = COMMAND_SIZE(opcode);
...@@ -520,8 +524,9 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode, ...@@ -520,8 +524,9 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
} }
error: error:
kfree(buffer);
blk_put_request(rq); blk_put_request(rq);
error_free_buffer:
kfree(buffer);
return err; return err;
} }
EXPORT_SYMBOL_GPL(sg_scsi_ioctl); EXPORT_SYMBOL_GPL(sg_scsi_ioctl);
...@@ -534,6 +539,8 @@ static int __blk_send_generic(struct request_queue *q, struct gendisk *bd_disk, ...@@ -534,6 +539,8 @@ static int __blk_send_generic(struct request_queue *q, struct gendisk *bd_disk,
int err; int err;
rq = blk_get_request(q, WRITE, __GFP_WAIT); rq = blk_get_request(q, WRITE, __GFP_WAIT);
if (!rq)
return -ENODEV;
blk_rq_set_block_pc(rq); blk_rq_set_block_pc(rq);
rq->timeout = BLK_DEFAULT_SG_TIMEOUT; rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
rq->cmd[0] = cmd; rq->cmd[0] = cmd;
......
...@@ -722,6 +722,8 @@ static int pd_special_command(struct pd_unit *disk, ...@@ -722,6 +722,8 @@ static int pd_special_command(struct pd_unit *disk,
int err = 0; int err = 0;
rq = blk_get_request(disk->gd->queue, READ, __GFP_WAIT); rq = blk_get_request(disk->gd->queue, READ, __GFP_WAIT);
if (!rq)
return -ENODEV;
rq->cmd_type = REQ_TYPE_SPECIAL; rq->cmd_type = REQ_TYPE_SPECIAL;
rq->special = func; rq->special = func;
......
...@@ -704,6 +704,8 @@ static int pkt_generic_packet(struct pktcdvd_device *pd, struct packet_command * ...@@ -704,6 +704,8 @@ static int pkt_generic_packet(struct pktcdvd_device *pd, struct packet_command *
rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ? rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
WRITE : READ, __GFP_WAIT); WRITE : READ, __GFP_WAIT);
if (!rq)
return -ENODEV;
blk_rq_set_block_pc(rq); blk_rq_set_block_pc(rq);
if (cgc->buflen) { if (cgc->buflen) {
......
...@@ -1960,6 +1960,8 @@ static void scsi_eh_lock_door(struct scsi_device *sdev) ...@@ -1960,6 +1960,8 @@ static void scsi_eh_lock_door(struct scsi_device *sdev)
* request becomes available * request becomes available
*/ */
req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL); req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL);
if (!req)
return;
blk_rq_set_block_pc(req); blk_rq_set_block_pc(req);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment