[SCSI] sr: partial revert of 24669f75a3231fa37444977c92d1f4838bec1233

The patch

[SCSI] SCSI core kmalloc2kzalloc

Has an incorrect piece in sr_ioctl.c; it changes buffer from kmalloc
to kzalloc, but then removes the clearing of the stack variable struct
packet_command.  This, in turn leaves rubbish in the sense pointer
which the sr_do_ioctl() command then happily writes to ... oops.

Thanks to Mike Christie <michaelc@cs.wisc.edu> for spotting this.

Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 03fbc4b44473..5d02ff4db6cc 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -44,10 +44,11 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi,
         int result;
         unsigned char *buffer;
 
-        buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
+        buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
         if (!buffer)
                 return -ENOMEM;
 
+        memset(&cgc, 0, sizeof(struct packet_command));
         cgc.timeout = IOCTL_TIMEOUT;
         cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
         cgc.cmd[8] = 12;                /* LSB of length */
@@ -73,10 +74,11 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi,
         int result;
         unsigned char *buffer;
 
-        buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
+        buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
         if (!buffer)
                 return -ENOMEM;
 
+        memset(&cgc, 0, sizeof(struct packet_command));
         cgc.timeout = IOCTL_TIMEOUT;
         cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
         cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;