Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[SCSI] sr: partial revert of 24669f75a3

Browse source 
The patch

[SCSI] SCSI core kmalloc2kzalloc

Has an incorrect piece in sr_ioctl.c; it changes buffer from kmalloc
to kzalloc, but then removes the clearing of the stack variable struct
packet_command.  This, in turn leaves rubbish in the sense pointer
which the sr_do_ioctl() command then happily writes to ... oops.

Thanks to Mike Christie <michaelc@cs.wisc.edu> for spotting this.

Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
This commit is contained in:
James Bottomley 2006-03-07 14:53:40 -06:00
parent 5e6575c051
commit e12f0a3dec
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/scsi/sr_ioctl.c
View file

@ -44,10 +44,11 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi,
int result;
unsigned char *buffer;
buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
if (!buffer)
return -ENOMEM;
memset(&cgc, 0, sizeof(struct packet_command));
cgc.timeout = IOCTL_TIMEOUT;
cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
cgc.cmd[8] = 12; /* LSB of length */
@ -73,10 +74,11 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi,
int result;
unsigned char *buffer;
buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
if (!buffer)
return -ENOMEM;
memset(&cgc, 0, sizeof(struct packet_command));
cgc.timeout = IOCTL_TIMEOUT;
cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;