Re: [PATCH] panic in scsi_free/sr_scatter_pad

[Jens Axboe]

On Tue, May 29 2001, Paul Gortmaker wrote:
> I think I recall seeing something reported like this on the list(?):
> 
>   sr: ran out of mem for scatter pad
>   Kernel panic: scsi_free: bad offset

Here's a better patch, it also gets the freeing right. It's been fixed
for long, just haven't been sent to Linus yet. It's in Alan's tree, and
in fact I think I've send it to this list more than once :)

-- 
Jens Axboe


diff -urN --exclude-from /home/axboe/cdrom/exclude 
/opt/kernel/linux-2.4.4-pre2/drivers/scsi/sr.c linux/drivers/scsi/sr.c
--- /opt/kernel/linux-2.4.4-pre2/drivers/scsi/sr.c      Mon Feb 19 19:25:17 2001
+++ linux/drivers/scsi/sr.c     Mon Apr  9 09:18:46 2001
@@ -262,7 +262,7 @@
 static int sr_scatter_pad(Scsi_Cmnd *SCpnt, int s_size)
 {
        struct scatterlist *sg, *old_sg = NULL;
-       int i, fsize, bsize, sg_ent;
+       int i, fsize, bsize, sg_ent, sg_count;
        char *front, *back;
 
        back = front = NULL;
@@ -290,17 +290,24 @@
        /*
         * extend or allocate new scatter-gather table
         */
-       if (SCpnt->use_sg)
+       sg_count = SCpnt->use_sg;
+       if (sg_count)
                old_sg = (struct scatterlist *) SCpnt->request_buffer;
        else {
-               SCpnt->use_sg = 1;
+               sg_count = 1;
                sg_ent++;
        }
 
-       SCpnt->sglist_len = ((sg_ent * sizeof(struct scatterlist)) + 511) & ~511;
-       if ((sg = scsi_malloc(SCpnt->sglist_len)) == NULL)
+       i = ((sg_ent * sizeof(struct scatterlist)) + 511) & ~511;
+       if ((sg = scsi_malloc(i)) == NULL)
                goto no_mem;
 
+       /*
+        * no more failing memory allocs possible, we can safely assign
+        * SCpnt values now
+        */
+       SCpnt->sglist_len = i;
+       SCpnt->use_sg = sg_count;
        memset(sg, 0, SCpnt->sglist_len);
 
        i = 0;