Author: dannf Date: Thu May 3 17:01:33 2007 New Revision: 8561 Added: dists/etch/linux-2.6/debian/patches/bugfix/gdth_copy_cmd-oops-fix.patch Log: add missing patch, thx maks
Added: dists/etch/linux-2.6/debian/patches/bugfix/gdth_copy_cmd-oops-fix.patch ============================================================================== --- (empty file) +++ dists/etch/linux-2.6/debian/patches/bugfix/gdth_copy_cmd-oops-fix.patch Thu May 3 17:01:33 2007 @@ -0,0 +1,46 @@ +From: Joerg Dorchain <[EMAIL PROTECTED]> +Date: Tue, 6 Mar 2007 10:46:54 +0000 (-0800) +Subject: [SCSI] gdth: fix oops in gdth_copy_cmd() +X-Git-Tag: v2.6.21~211^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=bb9ba31ca3b88fd396e38950d1caedf2f83521c6 + +[SCSI] gdth: fix oops in gdth_copy_cmd() + +Recent alterations to the gdth_fill_raw_cmd() path no longer set the +sg_ranz field for zero transfer commands. However, this field is used +lower down in the function to initialise ha->cmd_len to the size of +the firmware packet. If this uninitialised field contains a bogus +value, ha->cmd_len can become much larger than the actual firmware +packet and end up oopsing in gdth_copy_cmd() as it tries to copy this +huge packet to the device (usually because it runs into an unallocated +page). + +The fix is to initialise the sg_ranz field to zero at the start of +gdth_fill_raw_cmd(). + +Signed-off-by: Joerg Dorchain <[EMAIL PROTECTED]> +Acked-by: "Leubner, Achim" <[EMAIL PROTECTED]> +Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> +Signed-off-by: James Bottomley <[EMAIL PROTECTED]> +--- + +diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c +index 8c81cec..60446b8 100644 +--- a/drivers/scsi/gdth.c ++++ b/drivers/scsi/gdth.c +@@ -3091,6 +3091,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) + cmdp->u.raw64.direction = + gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; + memcpy(cmdp->u.raw64.cmd,scp->cmnd,16); ++ cmdp->u.raw64.sg_ranz = 0; + } else { + cmdp->u.raw.reserved = 0; + cmdp->u.raw.mdisc_time = 0; +@@ -3107,6 +3108,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b) + cmdp->u.raw.direction = + gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; + memcpy(cmdp->u.raw.cmd,scp->cmnd,12); ++ cmdp->u.raw.sg_ranz = 0; + } + + if (scp->use_sg) { _______________________________________________ Kernel-svn-changes mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
