Commit b09bfe36 authored by Joerg Dorchain's avatar Joerg Dorchain Committed by Greg Kroah-Hartman

gdth: fix oops in gdth_copy_cmd()

Recent alterations to the gdth_fill_raw_cmd() path no longer set the
sg_ranz field for zero transfer commands. However, this field is used
lower down in the function to initialise ha->cmd_len to the size of
the firmware packet.  If this uninitialised field contains a bogus
value, ha->cmd_len can become much larger than the actual firmware
packet and end up oopsing in gdth_copy_cmd() as it tries to copy this
huge packet to the device (usually because it runs into an unallocated
page).

The fix is to initialise the sg_ranz field to zero at the start of
gdth_fill_raw_cmd().
Signed-off-by: default avatarJoerg Dorchain <joerg@dorchain.net>
Acked-by: default avatar"Achim Leubner" <Achim_Leubner@adaptec.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 1995b605
...@@ -3092,6 +3092,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) ...@@ -3092,6 +3092,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
cmdp->u.raw64.direction = cmdp->u.raw64.direction =
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
memcpy(cmdp->u.raw64.cmd,scp->cmnd,16); memcpy(cmdp->u.raw64.cmd,scp->cmnd,16);
cmdp->u.raw64.sg_ranz = 0;
} else { } else {
cmdp->u.raw.reserved = 0; cmdp->u.raw.reserved = 0;
cmdp->u.raw.mdisc_time = 0; cmdp->u.raw.mdisc_time = 0;
...@@ -3108,6 +3109,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) ...@@ -3108,6 +3109,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
cmdp->u.raw.direction = cmdp->u.raw.direction =
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
memcpy(cmdp->u.raw.cmd,scp->cmnd,12); memcpy(cmdp->u.raw.cmd,scp->cmnd,12);
cmdp->u.raw.sg_ranz = 0;
} }
if (scp->use_sg) { if (scp->use_sg) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment