summaryrefslogtreecommitdiff
path: root/drivers/scsi
diff options
context:
space:
mode:
authorTony Battersby <tonyb@cybernetics.com>2014-12-09 01:20:52 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2015-01-27 19:29:38 +0300
commit7fbdd0ef30d4515f6638a80b1a3e76713e2c88db (patch)
tree738d55bf15b069f08824eeaad29d08b6748ab2f8 /drivers/scsi
parent5f5628fbda628598dbb22a9b02dcabf771dcaa28 (diff)
downloadlinux-7fbdd0ef30d4515f6638a80b1a3e76713e2c88db.tar.xz
scsi: fix random memory corruption with scsi-mq + T10 PI
commit 120bb3e1e36da9c1ae6b978c825a28b944a5d7c5 upstream. This fixes random memory corruption triggered when all three of the following are true: * scsi-mq enabled * T10 Protection Information (DIF) enabled * SCSI host with sg_tablesize > SCSI_MAX_SG_SEGMENTS (128) The symptoms of this bug are unpredictable memory corruption, BUG()s, oopses, lockups, etc., any of which may appear to be completely unrelated to the root cause. Signed-off-by: Tony Battersby <tonyb@cybernetics.com> Reviewed-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/scsi')
-rw-r--r--drivers/scsi/scsi_lib.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 50a6e1ac8d9c..17fb0518c9c1 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1829,7 +1829,9 @@ static int scsi_mq_prep_fn(struct request *req)
if (scsi_host_get_prot(shost)) {
cmd->prot_sdb = (void *)sg +
- shost->sg_tablesize * sizeof(struct scatterlist);
+ min_t(unsigned int,
+ shost->sg_tablesize, SCSI_MAX_SG_SEGMENTS) *
+ sizeof(struct scatterlist);
memset(cmd->prot_sdb, 0, sizeof(struct scsi_data_buffer));
cmd->prot_sdb->table.sgl =
generated by cgit v1.2.3 (git 2.39.0) at 2024-10-19 03:08:31 +0300