From 828d09de4a6c922517f533093583b9fe8cbf5808 Mon Sep 17 00:00:00 2001 From: Jeff Garzik Date: Sat, 12 Nov 2005 01:27:07 -0500 Subject: [PATCH] [libata ahci, qstor] fix miscount of scatter/gather entries Don't directly reference qc->n_elem, as that might cause an off-by-one error for misaligned (padded) ATAPI transfers. --- drivers/scsi/ahci.c | 14 +++++++++++--- drivers/scsi/sata_qstor.c | 9 ++++++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/drivers/scsi/ahci.c b/drivers/scsi/ahci.c index 57ef7ae387d9..7b0640bc0079 100644 --- a/drivers/scsi/ahci.c +++ b/drivers/scsi/ahci.c @@ -474,11 +474,12 @@ static void ahci_tf_read(struct ata_port *ap, struct ata_taskfile *tf) ata_tf_from_fis(d2h_fis, tf); } -static void ahci_fill_sg(struct ata_queued_cmd *qc) +static unsigned int ahci_fill_sg(struct ata_queued_cmd *qc) { struct ahci_port_priv *pp = qc->ap->private_data; struct scatterlist *sg; struct ahci_sg *ahci_sg; + unsigned int n_sg = 0; VPRINTK("ENTER\n"); @@ -493,8 +494,12 @@ static void ahci_fill_sg(struct ata_queued_cmd *qc) ahci_sg->addr = cpu_to_le32(addr & 0xffffffff); ahci_sg->addr_hi = cpu_to_le32((addr >> 16) >> 16); ahci_sg->flags_size = cpu_to_le32(sg_len - 1); + ahci_sg++; + n_sg++; } + + return n_sg; } static void ahci_qc_prep(struct ata_queued_cmd *qc) @@ -503,13 +508,14 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc) struct ahci_port_priv *pp = ap->private_data; u32 opts; const u32 cmd_fis_len = 5; /* five dwords */ + unsigned int n_elem; /* * Fill in command slot information (currently only one slot, * slot 0, is currently since we don't do queueing) */ - opts = (qc->n_elem << 16) | cmd_fis_len; + opts = cmd_fis_len; if (qc->tf.flags & ATA_TFLAG_WRITE) opts |= AHCI_CMD_WRITE; if (is_atapi_taskfile(&qc->tf)) @@ -533,7 +539,9 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc) if (!(qc->flags & ATA_QCFLAG_DMAMAP)) return; - ahci_fill_sg(qc); + n_elem = ahci_fill_sg(qc); + + pp->cmd_slot[0].opts |= cpu_to_le32(n_elem << 16); } static void ahci_intr_error(struct ata_port *ap, u32 irq_stat) diff --git a/drivers/scsi/sata_qstor.c b/drivers/scsi/sata_qstor.c index b2f6324a2eb2..4a6d3067d23c 100644 --- a/drivers/scsi/sata_qstor.c +++ b/drivers/scsi/sata_qstor.c @@ -268,7 +268,7 @@ static void qs_scr_write (struct ata_port *ap, unsigned int sc_reg, u32 val) writel(val, (void __iomem *)(ap->ioaddr.scr_addr + (sc_reg * 8))); } -static void qs_fill_sg(struct ata_queued_cmd *qc) +static unsigned int qs_fill_sg(struct ata_queued_cmd *qc) { struct scatterlist *sg; struct ata_port *ap = qc->ap; @@ -296,6 +296,8 @@ static void qs_fill_sg(struct ata_queued_cmd *qc) (unsigned long long)addr, len); nelem++; } + + return nelem; } static void qs_qc_prep(struct ata_queued_cmd *qc) @@ -304,6 +306,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc) u8 dflags = QS_DF_PORD, *buf = pp->pkt; u8 hflags = QS_HF_DAT | QS_HF_IEN | QS_HF_VLD; u64 addr; + unsigned int nelem; VPRINTK("ENTER\n"); @@ -313,7 +316,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc) return; } - qs_fill_sg(qc); + nelem = qs_fill_sg(qc); if ((qc->tf.flags & ATA_TFLAG_WRITE)) hflags |= QS_HF_DIRO; @@ -324,7 +327,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc) buf[ 0] = QS_HCB_HDR; buf[ 1] = hflags; *(__le32 *)(&buf[ 4]) = cpu_to_le32(qc->nsect * ATA_SECT_SIZE); - *(__le32 *)(&buf[ 8]) = cpu_to_le32(qc->n_elem); + *(__le32 *)(&buf[ 8]) = cpu_to_le32(nelem); addr = ((u64)pp->pkt_dma) + QS_CPB_BYTES; *(__le64 *)(&buf[16]) = cpu_to_le64(addr); -- 2.34.1