[parisc-linux-cvs] [PATCH] Fix for the 53c700 drivers use of an un-initialized variable in pci_unmap_single.

Ryan Bradetich rbradetich@uswest.net
20 Dec 2001 22:37:37 -0700 

--=-N3bVbhbqkZ8s/erwjc9l
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

James and parisc-linux hackers,

I started tracking down a problem when reading from a tape device on my
C200 using the single-ended interface.  The bug manifested itself as a
mismatch between the reserved entries and the entries being free'd in
the ccio IOMMU.   I tracked the bug down to an un-initialized value
being assed to the NCR_700_unmap() when the DMA stream was initiated
from the process_script_interrupt().

Here is a trace from the driver showing the error condition:
NCR_700_queuecommand(): SCp->request_buffer: 0x6fca0000 size: 0x00002800
NCR_700_unmap(): slot->dma_handle: 0x00d28000 size: 0x00002800


Process_script_interrupt(): SCp->sense_buffer: 0x6fc9e308 size:
0x00000040
NCR_700_unmap(): slot->dma_handle: 0x00d38308 size: 0x00002800
                                                    ^^^^^^^^^^

As you can see, the size is the value from the previous
NCR_700_queuecommand().


The attached patch fixes the problem.


James,  

I have committed this patch to the parisc-linux cvs tree,
but since this is arch-independant code, I will gladly back this patch
out and apply your patch if you find a better solution.

Thanks,

- Ryan


--=-N3bVbhbqkZ8s/erwjc9l
Content-Disposition: attachment; filename=53c700.patch
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=ISO-8859-1

Index: 53c700.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvs/linux/drivers/scsi/53c700.c,v
retrieving revision 1.1
diff -u -p -r1.1 53c700.c
--- 53c700.c	2001/10/08 21:46:02	1.1
+++ 53c700.c	2001/12/21 05:20:50
@@ -1049,6 +1049,7 @@ process_script_interrupt(__u32 dsps, __u
 						    slot->pCmd,
 						    SCp->cmd_len,
 						    PCI_DMA_TODEVICE);
+				SCp->request_bufflen =3D sizeof(SCp->sense_buffer);
 				slot->dma_handle =3D pci_map_single(hostdata->pci_dev, SCp->sense_buff=
er, sizeof(SCp->sense_buffer), PCI_DMA_FROMDEVICE);
 				slot->SG[0].ins =3D bS_to_host(SCRIPT_MOVE_DATA_IN | sizeof(SCp->sense=
_buffer));
 				slot->SG[0].pAddr =3D bS_to_host(slot->dma_handle);

--=-N3bVbhbqkZ8s/erwjc9l--