aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorJoerg Dorchain <joerg@dorchain.net>2007-03-06 05:46:54 -0500
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>2007-03-11 11:58:49 -0400
commitbb9ba31ca3b88fd396e38950d1caedf2f83521c6 (patch)
tree18981413f6395e915395e862fc3b3436adea2b88 /drivers
parentba76ef246090601b783c1e6190e22b8b149a105f (diff)
[SCSI] gdth: fix oops in gdth_copy_cmd()
Recent alterations to the gdth_fill_raw_cmd() path no longer set the sg_ranz field for zero transfer commands. However, this field is used lower down in the function to initialise ha->cmd_len to the size of the firmware packet. If this uninitialised field contains a bogus value, ha->cmd_len can become much larger than the actual firmware packet and end up oopsing in gdth_copy_cmd() as it tries to copy this huge packet to the device (usually because it runs into an unallocated page). The fix is to initialise the sg_ranz field to zero at the start of gdth_fill_raw_cmd(). Signed-off-by: Joerg Dorchain <joerg@dorchain.net> Acked-by: "Leubner, Achim" <Achim_Leubner@adaptec.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/scsi/gdth.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
index 8c81cec85298..60446b88f721 100644
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -3091,6 +3091,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
3091 cmdp->u.raw64.direction = 3091 cmdp->u.raw64.direction =
3092 gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; 3092 gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
3093 memcpy(cmdp->u.raw64.cmd,scp->cmnd,16); 3093 memcpy(cmdp->u.raw64.cmd,scp->cmnd,16);
3094 cmdp->u.raw64.sg_ranz = 0;
3094 } else { 3095 } else {
3095 cmdp->u.raw.reserved = 0; 3096 cmdp->u.raw.reserved = 0;
3096 cmdp->u.raw.mdisc_time = 0; 3097 cmdp->u.raw.mdisc_time = 0;
@@ -3107,6 +3108,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
3107 cmdp->u.raw.direction = 3108 cmdp->u.raw.direction =
3108 gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN; 3109 gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
3109 memcpy(cmdp->u.raw.cmd,scp->cmnd,12); 3110 memcpy(cmdp->u.raw.cmd,scp->cmnd,12);
3111 cmdp->u.raw.sg_ranz = 0;
3110 } 3112 }
3111 3113
3112 if (scp->use_sg) { 3114 if (scp->use_sg) {