diff options
| author | Alan Stern <stern@rowland.harvard.edu> | 2006-11-10 15:27:57 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-11-13 10:40:43 -0500 |
| commit | 09123d230a294cd3b860f4ea042235b988277f0a (patch) | |
| tree | e5231cafdbecb9fbf4bc0d1b462f43c64136980b /drivers/scsi/scsi_scan.c | |
| parent | f72fa707604c015a6625e80f269506032d5430dc (diff) | |
[PATCH] SCSI core: always store >= 36 bytes of INQUIRY data
This patch (as810c) copies a minimum of 36 bytes of INQUIRY data, even if
the device claims that not all of them are valid. Often badly behaved
devices put plausible data in the Vendor, Product, and Revision strings but
set the Additional Length byte to a small value. Using potentially valid
data is certainly better than allocating a short buffer and then reading
beyond the end of it, which is what we do now.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/scsi/scsi_scan.c')
| -rw-r--r-- | drivers/scsi/scsi_scan.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c index fd9e281c3bfe..94a274645f6f 100644 --- a/drivers/scsi/scsi_scan.c +++ b/drivers/scsi/scsi_scan.c | |||
| @@ -631,12 +631,22 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result, | |||
| 631 | * scanning run at their own risk, or supply a user level program | 631 | * scanning run at their own risk, or supply a user level program |
| 632 | * that can correctly scan. | 632 | * that can correctly scan. |
| 633 | */ | 633 | */ |
| 634 | sdev->inquiry = kmalloc(sdev->inquiry_len, GFP_ATOMIC); | 634 | |
| 635 | if (sdev->inquiry == NULL) { | 635 | /* |
| 636 | * Copy at least 36 bytes of INQUIRY data, so that we don't | ||
| 637 | * dereference unallocated memory when accessing the Vendor, | ||
| 638 | * Product, and Revision strings. Badly behaved devices may set | ||
| 639 | * the INQUIRY Additional Length byte to a small value, indicating | ||
| 640 | * these strings are invalid, but often they contain plausible data | ||
| 641 | * nonetheless. It doesn't matter if the device sent < 36 bytes | ||
| 642 | * total, since scsi_probe_lun() initializes inq_result with 0s. | ||
| 643 | */ | ||
| 644 | sdev->inquiry = kmemdup(inq_result, | ||
| 645 | max_t(size_t, sdev->inquiry_len, 36), | ||
| 646 | GFP_ATOMIC); | ||
| 647 | if (sdev->inquiry == NULL) | ||
| 636 | return SCSI_SCAN_NO_RESPONSE; | 648 | return SCSI_SCAN_NO_RESPONSE; |
| 637 | } | ||
| 638 | 649 | ||
| 639 | memcpy(sdev->inquiry, inq_result, sdev->inquiry_len); | ||
| 640 | sdev->vendor = (char *) (sdev->inquiry + 8); | 650 | sdev->vendor = (char *) (sdev->inquiry + 8); |
| 641 | sdev->model = (char *) (sdev->inquiry + 16); | 651 | sdev->model = (char *) (sdev->inquiry + 16); |
| 642 | sdev->rev = (char *) (sdev->inquiry + 32); | 652 | sdev->rev = (char *) (sdev->inquiry + 32); |