@@ -813,7 +813,7 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
}
if (atomic_read(&sdp->detaching)) {
if (srp->bio) {
- blk_mq_free_request(srp->rq);
+ scsi_free_cmnd(blk_mq_rq_to_pdu(srp->rq));
srp->rq = NULL;
}
@@ -1387,7 +1387,7 @@ sg_rq_end_io(struct request *rq, blk_status_t status)
* blk_rq_unmap_user() can be called from user context.
*/
srp->rq = NULL;
- blk_mq_free_request(rq);
+ scsi_free_cmnd(scmd);
write_lock_irqsave(&sfp->rq_list_lock, iflags);
if (unlikely(srp->orphan)) {
@@ -1753,14 +1753,14 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
return PTR_ERR(rq);
scmd = blk_mq_rq_to_pdu(rq);
- if (hp->cmd_len > sizeof(scmd->cmnd)) {
- blk_mq_free_request(rq);
+ if (unlikely(hp->cmd_len > SCSI_MAX_RUN_TIME_CDB_LEN)) {
+ scsi_free_cmnd(scmd);
return -EINVAL;
}
-
- memcpy(scmd->cmnd, cmd, hp->cmd_len);
- scmd->cmd_len = hp->cmd_len;
-
+ if (unlikely(!scsi_cmnd_set_cdb(scmd, cmd, hp->cmd_len))) {
+ scsi_free_cmnd(scmd);
+ return -ENOMEM;
+ }
srp->rq = rq;
rq->end_io_data = srp;
scmd->allowed = SG_DEFAULT_RETRIES;
@@ -1845,6 +1845,7 @@ sg_finish_rem_req(Sg_request *srp)
Sg_fd *sfp = srp->parentfp;
Sg_scatter_hold *req_schp = &srp->data;
+ struct request *rq = srp->rq;
SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
"sg_finish_rem_req: res_used=%d\n",
@@ -1852,8 +1853,8 @@ sg_finish_rem_req(Sg_request *srp)
if (srp->bio)
ret = blk_rq_unmap_user(srp->bio);
- if (srp->rq)
- blk_mq_free_request(srp->rq);
+ if (rq)
+ scsi_free_cmnd(blk_mq_rq_to_pdu(rq));
if (srp->res_used)
sg_unlink_reserve(sfp, srp);
Use the changes to include/scsi/scsi_cmnd.h in earlier patch to use the scsi_cmnd_set_cdb() function to place a SCSI CDB in the struct scsi_cmnd object. When free-ing up a struct request, or its attached scsi_cmnd sub-object, call scsi_free_cmnd() which ensures that if a long cdb used its own heap allocation, then that heap is freed. Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> --- drivers/scsi/sg.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-)