From ae36a28cdf6950c37a0e0313a2bb22144c6e1803 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 23 Dec 2005 11:05:10 -0800
Subject: [PATCH] added 3 more patches to queue

---
 ...x-sysfs-access-with-config_modules-n.patch |  39 ++++++
 ...ransfer-direction-in-scsi_lib-and-st.patch | 118 ++++++++++++++++++
 queue/scsi-fix-transfer-direction-in-sd.patch |  98 +++++++++++++++
 queue/series                                  |   3 +
 4 files changed, 258 insertions(+)
 create mode 100644 queue/kernel-params.c-fix-sysfs-access-with-config_modules-n.patch
 create mode 100644 queue/scsi-fix-transfer-direction-in-scsi_lib-and-st.patch
 create mode 100644 queue/scsi-fix-transfer-direction-in-sd.patch

diff --git a/queue/kernel-params.c-fix-sysfs-access-with-config_modules-n.patch b/queue/kernel-params.c-fix-sysfs-access-with-config_modules-n.patch
new file mode 100644
index 00000000000..9d90970efd7
--- /dev/null
+++ b/queue/kernel-params.c-fix-sysfs-access-with-config_modules-n.patch
@@ -0,0 +1,39 @@
+From stable-bounces@linux.kernel.org Tue Dec 20 14:46:39 2005
+Date: Tue, 20 Dec 2005 23:41:02 +0100
+From: Adrian Bunk <bunk@stusta.de>
+To: stable@kernel.org
+Message-ID: <20051220224102.GB5359@stusta.de>
+Content-Disposition: inline
+Subject: kernel/params.c: fix sysfs access with CONFIG_MODULES=n
+
+From: Jason Wessel <jason.wessel@windriver.com>
+
+All the work was done to setup the file and maintain the file handles but
+the access functions were zeroed out due to the #ifdef.  Removing the
+#ifdef allows full access to all the parameters when CONFIG_MODULES=n.
+
+akpm: put it back again, but use CONFIG_SYSFS instead.
+
+This patch has already been included in Linus' tree.
+
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/params.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.14.4.orig/kernel/params.c
++++ linux-2.6.14.4/kernel/params.c
+@@ -618,7 +618,7 @@ static void __init param_sysfs_builtin(v
+ 
+ 
+ /* module-related sysfs stuff */
+-#ifdef CONFIG_MODULES
++#ifdef CONFIG_SYSFS
+ 
+ #define to_module_attr(n) container_of(n, struct module_attribute, attr);
+ #define to_module_kobject(n) container_of(n, struct module_kobject, kobj);
diff --git a/queue/scsi-fix-transfer-direction-in-scsi_lib-and-st.patch b/queue/scsi-fix-transfer-direction-in-scsi_lib-and-st.patch
new file mode 100644
index 00000000000..7f380e213a3
--- /dev/null
+++ b/queue/scsi-fix-transfer-direction-in-scsi_lib-and-st.patch
@@ -0,0 +1,118 @@
+From stable-bounces@linux.kernel.org Wed Dec 14 14:37:17 2005
+Date: Wed, 14 Dec 2005 23:34:11 +0100 (CET)
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+To: stable@kernel.org
+Message-ID: <tkrat.a92b3c0b86f82868@s5r6.in-berlin.de>
+Content-Disposition: INLINE
+Cc: James Bottomley <James.Bottomley@SteelEye.com>
+Subject: SCSI: fix transfer direction in scsi_lib and st
+
+SCSI: fix transfer direction in scsi_lib and st
+
+scsi_prep_fn and st_init_command could issue WRITE requests with zero
+buffer length. This may lead to kernel panic or oops with some SCSI
+low-level drivers.
+
+Derived from -rc patches from Jens Axboe and James Bottomley.
+
+Patch is reassembled for -stable from patches:
+[SCSI] fix panic when ejecting ieee1394 ipod
+[SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic)
+
+Depends on patch "SCSI: fix transfer direction in sd (kernel panic when
+ejecting iPod)". Also modifies the already correct sr_init_command to
+fully match the corresponding -rc patch.
+
+
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/scsi/scsi_lib.c |   13 +------------
+ drivers/scsi/sr.c       |   20 +++-----------------
+ drivers/scsi/st.c       |   19 +------------------
+ 3 files changed, 5 insertions(+), 47 deletions(-)
+
+--- linux-2.6.14.4.orig/drivers/scsi/scsi_lib.c
++++ linux-2.6.14.4/drivers/scsi/scsi_lib.c
+@@ -1284,18 +1284,7 @@ static int scsi_prep_fn(struct request_q
+ 				goto kill;
+ 			}
+ 		} else {
+-			memcpy(cmd->cmnd, req->cmd, sizeof(cmd->cmnd));
+-			cmd->cmd_len = req->cmd_len;
+-			if (rq_data_dir(req) == WRITE)
+-				cmd->sc_data_direction = DMA_TO_DEVICE;
+-			else if (req->data_len)
+-				cmd->sc_data_direction = DMA_FROM_DEVICE;
+-			else
+-				cmd->sc_data_direction = DMA_NONE;
+-			
+-			cmd->transfersize = req->data_len;
+-			cmd->allowed = 3;
+-			cmd->timeout_per_command = req->timeout;
++			scsi_setup_blk_pc_cmnd(cmd, 3);
+ 			cmd->done = scsi_generic_done;
+ 		}
+ 	}
+--- linux-2.6.14.4.orig/drivers/scsi/sr.c
++++ linux-2.6.14.4/drivers/scsi/sr.c
+@@ -320,25 +320,11 @@ static int sr_init_command(struct scsi_c
+ 	 * these are already setup, just copy cdb basically
+ 	 */
+ 	if (SCpnt->request->flags & REQ_BLOCK_PC) {
+-		struct request *rq = SCpnt->request;
++		scsi_setup_blk_pc_cmnd(SCpnt, MAX_RETRIES);
+ 
+-		if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd))
+-			return 0;
+-
+-		memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
+-		SCpnt->cmd_len = rq->cmd_len;
+-		if (!rq->data_len)
+-			SCpnt->sc_data_direction = DMA_NONE;
+-		else if (rq_data_dir(rq) == WRITE)
+-			SCpnt->sc_data_direction = DMA_TO_DEVICE;
+-		else
+-			SCpnt->sc_data_direction = DMA_FROM_DEVICE;
+-
+-		this_count = rq->data_len;
+-		if (rq->timeout)
+-			timeout = rq->timeout;
++		if (SCpnt->timeout_per_command)
++			timeout = SCpnt->timeout_per_command;
+ 
+-		SCpnt->transfersize = rq->data_len;
+ 		goto queue;
+ 	}
+ 
+--- linux-2.6.14.4.orig/drivers/scsi/st.c
++++ linux-2.6.14.4/drivers/scsi/st.c
+@@ -4196,27 +4196,10 @@ static void st_intr(struct scsi_cmnd *SC
+  */
+ static int st_init_command(struct scsi_cmnd *SCpnt)
+ {
+-	struct request *rq;
+-
+ 	if (!(SCpnt->request->flags & REQ_BLOCK_PC))
+ 		return 0;
+ 
+-	rq = SCpnt->request;
+-	if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd))
+-		return 0;
+-
+-	memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
+-	SCpnt->cmd_len = rq->cmd_len;
+-
+-	if (rq_data_dir(rq) == WRITE)
+-		SCpnt->sc_data_direction = DMA_TO_DEVICE;
+-	else if (rq->data_len)
+-		SCpnt->sc_data_direction = DMA_FROM_DEVICE;
+-	else
+-		SCpnt->sc_data_direction = DMA_NONE;
+-
+-	SCpnt->timeout_per_command = rq->timeout;
+-	SCpnt->transfersize = rq->data_len;
++	scsi_setup_blk_pc_cmnd(SCpnt, 0);
+ 	SCpnt->done = st_intr;
+ 	return 1;
+ }
diff --git a/queue/scsi-fix-transfer-direction-in-sd.patch b/queue/scsi-fix-transfer-direction-in-sd.patch
new file mode 100644
index 00000000000..d7322b48ee1
--- /dev/null
+++ b/queue/scsi-fix-transfer-direction-in-sd.patch
@@ -0,0 +1,98 @@
+From stable-bounces@linux.kernel.org Wed Dec 14 14:37:12 2005
+Date: Wed, 14 Dec 2005 23:32:33 +0100 (CET)
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+To: stable@kernel.org
+Message-ID: <tkrat.4cb325c7ad591694@s5r6.in-berlin.de>
+Content-Disposition: INLINE
+Cc: James Bottomley <James.Bottomley@SteelEye.com>
+Subject: SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)
+
+SCSI: fix transfer direction in sd (kernel panic when ejecting iPod)
+
+sd_init_command could issue WRITE requests with zero buffer length.
+This may lead to kernel panic or oops with some SCSI low-level drivers.
+Seen with the command "eject /dev/sdX" when disconnecting an iPod:
+http://marc.theaimsgroup.com/?l=linux1394-devel&m=113399994920181
+http://marc.theaimsgroup.com/?l=linux1394-user&m=112152701817435
+
+Derived from -rc patches from Jens Axboe and James Bottomley.
+
+Patch is reassembled for -stable from patches:
+[SCSI] fix panic when ejecting ieee1394 ipod
+[SCSI] Consolidate REQ_BLOCK_PC handling path (fix ipod panic)
+
+
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/scsi/scsi_lib.c  |   20 ++++++++++++++++++++
+ drivers/scsi/sd.c        |   16 +---------------
+ include/scsi/scsi_cmnd.h |    1 +
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+--- linux-2.6.14.4.orig/drivers/scsi/scsi_lib.c
++++ linux-2.6.14.4/drivers/scsi/scsi_lib.c
+@@ -1129,6 +1129,26 @@ static void scsi_generic_done(struct scs
+ 	scsi_io_completion(cmd, cmd->result == 0 ? cmd->bufflen : 0, 0);
+ }
+ 
++void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd, int retries)
++{
++	struct request *req = cmd->request;
++
++	BUG_ON(sizeof(req->cmd) > sizeof(cmd->cmnd));
++	memcpy(cmd->cmnd, req->cmd, sizeof(cmd->cmnd));
++	cmd->cmd_len = req->cmd_len;
++	if (!req->data_len)
++		cmd->sc_data_direction = DMA_NONE;
++	else if (rq_data_dir(req) == WRITE)
++		cmd->sc_data_direction = DMA_TO_DEVICE;
++	else
++		cmd->sc_data_direction = DMA_FROM_DEVICE;
++
++	cmd->transfersize = req->data_len;
++	cmd->allowed = retries;
++	cmd->timeout_per_command = req->timeout;
++}
++EXPORT_SYMBOL_GPL(scsi_setup_blk_pc_cmnd);
++
+ static int scsi_prep_fn(struct request_queue *q, struct request *req)
+ {
+ 	struct scsi_device *sdev = q->queuedata;
+--- linux-2.6.14.4.orig/drivers/scsi/sd.c
++++ linux-2.6.14.4/drivers/scsi/sd.c
+@@ -231,24 +231,10 @@ static int sd_init_command(struct scsi_c
+ 	 * SG_IO from block layer already setup, just copy cdb basically
+ 	 */
+ 	if (blk_pc_request(rq)) {
+-		if (sizeof(rq->cmd) > sizeof(SCpnt->cmnd))
+-			return 0;
+-
+-		memcpy(SCpnt->cmnd, rq->cmd, sizeof(SCpnt->cmnd));
+-		SCpnt->cmd_len = rq->cmd_len;
+-		if (rq_data_dir(rq) == WRITE)
+-			SCpnt->sc_data_direction = DMA_TO_DEVICE;
+-		else if (rq->data_len)
+-			SCpnt->sc_data_direction = DMA_FROM_DEVICE;
+-		else
+-			SCpnt->sc_data_direction = DMA_NONE;
+-
+-		this_count = rq->data_len;
++		scsi_setup_blk_pc_cmnd(SCpnt, SD_PASSTHROUGH_RETRIES);
+ 		if (rq->timeout)
+ 			timeout = rq->timeout;
+ 
+-		SCpnt->transfersize = rq->data_len;
+-		SCpnt->allowed = SD_PASSTHROUGH_RETRIES;
+ 		goto queue;
+ 	}
+ 
+--- linux-2.6.14.4.orig/include/scsi/scsi_cmnd.h
++++ linux-2.6.14.4/include/scsi/scsi_cmnd.h
+@@ -150,5 +150,6 @@ extern struct scsi_cmnd *scsi_get_comman
+ extern void scsi_put_command(struct scsi_cmnd *);
+ extern void scsi_io_completion(struct scsi_cmnd *, unsigned int, unsigned int);
+ extern void scsi_finish_command(struct scsi_cmnd *cmd);
++extern void scsi_setup_blk_pc_cmnd(struct scsi_cmnd *cmd, int retries);
+ 
+ #endif /* _SCSI_SCSI_CMND_H */
diff --git a/queue/series b/queue/series
index 15aec73bc6c..3f6bd72e8de 100644
--- a/queue/series
+++ b/queue/series
@@ -13,3 +13,6 @@ fix-bridge-nf-ipv6-length-check.patch
 ipv6-fix-route-lifetime.patch
 ipsec-perform-SA-switchover-immediately.patch
 input-fix-an-OOPS-in-HID-driver.patch
+kernel-params.c-fix-sysfs-access-with-config_modules-n.patch
+scsi-fix-transfer-direction-in-sd.patch
+scsi-fix-transfer-direction-in-scsi_lib-and-st.patch
-- 
2.47.3