summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoerg Dorchain <joerg@dorchain.net>2007-03-06 02:46:54 -0800
committerGreg Kroah-Hartman <gregkh@suse.de>2007-03-23 12:49:21 -0700
commitb09bfe3601682228d9b4612a0266359df9710791 (patch)
treebcb5cf337f8a0fa1c0311e8793db03b4b7f94400
parent1995b605df589e93a11395ca239891187b7f1bdf (diff)
gdth: fix oops in gdth_copy_cmd()
Recent alterations to the gdth_fill_raw_cmd() path no longer set the sg_ranz field for zero transfer commands. However, this field is used lower down in the function to initialise ha->cmd_len to the size of the firmware packet. If this uninitialised field contains a bogus value, ha->cmd_len can become much larger than the actual firmware packet and end up oopsing in gdth_copy_cmd() as it tries to copy this huge packet to the device (usually because it runs into an unallocated page). The fix is to initialise the sg_ranz field to zero at the start of gdth_fill_raw_cmd(). Signed-off-by: Joerg Dorchain <joerg@dorchain.net> Acked-by: "Achim Leubner" <Achim_Leubner@adaptec.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/scsi/gdth.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c
index 4c698a71f66f..df1026795cf6 100644
--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -3092,6 +3092,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
cmdp->u.raw64.direction =
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
memcpy(cmdp->u.raw64.cmd,scp->cmnd,16);
+ cmdp->u.raw64.sg_ranz = 0;
} else {
cmdp->u.raw.reserved = 0;
cmdp->u.raw.mdisc_time = 0;
@@ -3108,6 +3109,7 @@ static int gdth_fill_raw_cmd(int hanum,Scsi_Cmnd *scp,unchar b)
cmdp->u.raw.direction =
gdth_direction_tab[scp->cmnd[0]]==DOU ? GDTH_DATA_OUT:GDTH_DATA_IN;
memcpy(cmdp->u.raw.cmd,scp->cmnd,12);
+ cmdp->u.raw.sg_ranz = 0;
}
if (scp->use_sg) {