[SCSI] sr: partial revert of 24669f75a3231fa37444977c92d1f4838bec1233
authorJames Bottomley <jejb@mulgrave.il.steeleye.com>
Tue, 7 Mar 2006 20:53:40 +0000 (14:53 -0600)
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>
Tue, 7 Mar 2006 20:53:40 +0000 (14:53 -0600)
The patch

[SCSI] SCSI core kmalloc2kzalloc

Has an incorrect piece in sr_ioctl.c; it changes buffer from kmalloc
to kzalloc, but then removes the clearing of the stack variable struct
packet_command.  This, in turn leaves rubbish in the sense pointer
which the sr_do_ioctl() command then happily writes to ... oops.

Thanks to Mike Christie <michaelc@cs.wisc.edu> for spotting this.

Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
drivers/scsi/sr_ioctl.c

index 03fbc4b44473814b917259b8a3aec9f518ddfd05..5d02ff4db6cc1e050d94ee83fa24899d9dc9050a 100644 (file)
@@ -44,10 +44,11 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi,
        int result;
        unsigned char *buffer;
 
        int result;
        unsigned char *buffer;
 
-       buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
+       buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
        if (!buffer)
                return -ENOMEM;
 
        if (!buffer)
                return -ENOMEM;
 
+       memset(&cgc, 0, sizeof(struct packet_command));
        cgc.timeout = IOCTL_TIMEOUT;
        cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
        cgc.cmd[8] = 12;                /* LSB of length */
        cgc.timeout = IOCTL_TIMEOUT;
        cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
        cgc.cmd[8] = 12;                /* LSB of length */
@@ -73,10 +74,11 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi,
        int result;
        unsigned char *buffer;
 
        int result;
        unsigned char *buffer;
 
-       buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
+       buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
        if (!buffer)
                return -ENOMEM;
 
        if (!buffer)
                return -ENOMEM;
 
+       memset(&cgc, 0, sizeof(struct packet_command));
        cgc.timeout = IOCTL_TIMEOUT;
        cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
        cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;
        cgc.timeout = IOCTL_TIMEOUT;
        cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
        cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;