[SCSI] gdth: fix oops in gdth_copy_cmd()
Recent alterations to the gdth_fill_raw_cmd() path no longer set the sg_ranz field for zero transfer commands. However, this field is used lower down in the function to initialise ha->cmd_len to the size of the firmware packet. If this uninitialised field contains a bogus value, ha->cmd_len can become much larger than the actual firmware packet and end up oopsing in gdth_copy_cmd() as it tries to copy this huge packet to the device (usually because it runs into an unallocated page). The fix is to initialise the sg_ranz field to zero at the start of gdth_fill_raw_cmd(). Signed-off-by: Joerg Dorchain <joerg@dorchain.net> Acked-by: "Leubner, Achim" <Achim_Leubner@adaptec.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
This commit is contained in:
parent
ba76ef2460
commit
bb9ba31ca3
|
@ -3091,6 +3091,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
|
|||
cmdp->u.raw64.direction =
|
||||
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
|
||||
memcpy(cmdp->u.raw64.cmd,scp->cmnd,16);
|
||||
cmdp->u.raw64.sg_ranz = 0;
|
||||
} else {
|
||||
cmdp->u.raw.reserved = 0;
|
||||
cmdp->u.raw.mdisc_time = 0;
|
||||
|
@ -3107,6 +3108,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
|
|||
cmdp->u.raw.direction =
|
||||
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
|
||||
memcpy(cmdp->u.raw.cmd,scp->cmnd,12);
|
||||
cmdp->u.raw.sg_ranz = 0;
|
||||
}
|
||||
|
||||
if (scp->use_sg) {
|
||||
|
|
Loading…
Reference in New Issue