[SCSI] gdth: fix oops in gdth_copy_cmd()

Tue, 27 Mar 2007 10:00:36 -0800 

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bb9ba31ca3b88fd396e38950d1caedf2f83521c6
Commit:     bb9ba31ca3b88fd396e38950d1caedf2f83521c6
Parent:     ba76ef246090601b783c1e6190e22b8b149a105f
Author:     Joerg Dorchain <[EMAIL PROTECTED]>
AuthorDate: Tue Mar 6 02:46:54 2007 -0800
Committer:  James Bottomley <[EMAIL PROTECTED]>
CommitDate: Sun Mar 11 10:58:49 2007 -0500

    [SCSI] gdth: fix oops in gdth_copy_cmd()
    
    Recent alterations to the gdth_fill_raw_cmd() path no longer set the
    sg_ranz field for zero transfer commands. However, this field is used
    lower down in the function to initialise ha->cmd_len to the size of
    the firmware packet.  If this uninitialised field contains a bogus
    value, ha->cmd_len can become much larger than the actual firmware
    packet and end up oopsing in gdth_copy_cmd() as it tries to copy this
    huge packet to the device (usually because it runs into an unallocated
    page).
    
    The fix is to initialise the sg_ranz field to zero at the start of
    gdth_fill_raw_cmd().
    
    Signed-off-by: Joerg Dorchain <[EMAIL PROTECTED]>
    Acked-by: "Leubner, Achim" <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: James Bottomley <[EMAIL PROTECTED]>
---
 drivers/scsi/gdth.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
index 8c81cec..60446b8 100644
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -3091,6 +3091,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd 
*scp,unchar b)
             cmdp->u.raw64.direction  = 
                 gdth_direction_tab[scp->cmnd[0]]==DOU ? 
GDTH_DATA_OUT:GDTH_DATA_IN;
             memcpy(cmdp->u.raw64.cmd,scp->cmnd,16);
+            cmdp->u.raw64.sg_ranz    = 0;
         } else {
             cmdp->u.raw.reserved   = 0;
             cmdp->u.raw.mdisc_time = 0;
@@ -3107,6 +3108,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd 
*scp,unchar b)
             cmdp->u.raw.direction  = 
                 gdth_direction_tab[scp->cmnd[0]]==DOU ? 
GDTH_DATA_OUT:GDTH_DATA_IN;
             memcpy(cmdp->u.raw.cmd,scp->cmnd,12);
+            cmdp->u.raw.sg_ranz    = 0;
         }
 
         if (scp->use_sg) {
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to