    esp_scsi: Fix tag state corruption when autosensing. · 74e8a9ef
    David S. Miller authored
    [ Upstream commit 21af8107f27878813d0364733c0b08813c2c192a ]
    Meelis Roos reports a crash in esp_free_lun_tag() in the presense
    of a disk which has died.
    The issue is that when we issue an autosense command, we do so by
    hijacking the original command that caused the check-condition.
    When we do so we clear out the ent->tag[] array when we issue it via
    find_and_prep_issuable_command().  This is so that the autosense
    command is forced to be issued non-tagged.
    That is problematic, because it is the value of ent->tag[] which
    determines whether we issued the original scsi command as tagged
    vs. non-tagged (see esp_alloc_lun_tag()).
    And that, in turn, is what trips up the sanity checks in
    esp_free_lun_tag().  That function needs the original ->tag[] values
    in order to free up the tag slot properly.
    Fix this by remembering the original command's tag values, and
    having esp_alloc_lun_tag() and esp_free_lun_tag() use them.
    Reported-by: default avatarMeelis Roos <mroos@linux.ee>
    Tested-by: default avatarMeelis Roos <mroos@linux.ee>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
esp_scsi.c 64.9 KB