mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-30 06:10:56 +00:00
sr: pass down correctly sized SCSI sense buffer
commitf7068114d4
upstream. We're casting the CDROM layer request_sense to the SCSI sense buffer, but the former is 64 bytes and the latter is 96 bytes. As we generally allocate these on the stack, we end up blowing up the stack. Fix this by wrapping the scsi_execute() call with a properly sized sense buffer, and copying back the bits for the CDROM layer. Cc: stable@vger.kernel.org Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com> Reported-by: Daniel Shapira <daniel@twistlock.com> Tested-by: Kees Cook <keescook@chromium.org> Fixes:82ed4db499
("block: split scsi_request out of struct request") Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
a59bd81957
commit
2a039b9367
1 changed files with 8 additions and 2 deletions
|
@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
||||||
struct scsi_device *SDev;
|
struct scsi_device *SDev;
|
||||||
struct scsi_sense_hdr sshdr;
|
struct scsi_sense_hdr sshdr;
|
||||||
int result, err = 0, retries = 0;
|
int result, err = 0, retries = 0;
|
||||||
|
unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
|
||||||
|
|
||||||
SDev = cd->device;
|
SDev = cd->device;
|
||||||
|
|
||||||
|
if (cgc->sense)
|
||||||
|
senseptr = sense_buffer;
|
||||||
|
|
||||||
retry:
|
retry:
|
||||||
if (!scsi_block_when_processing_errors(SDev)) {
|
if (!scsi_block_when_processing_errors(SDev)) {
|
||||||
err = -ENODEV;
|
err = -ENODEV;
|
||||||
|
@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
|
||||||
}
|
}
|
||||||
|
|
||||||
result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
|
result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
|
||||||
cgc->buffer, cgc->buflen,
|
cgc->buffer, cgc->buflen, senseptr, &sshdr,
|
||||||
(unsigned char *)cgc->sense, &sshdr,
|
|
||||||
cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
|
cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
|
||||||
|
|
||||||
|
if (cgc->sense)
|
||||||
|
memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
|
||||||
|
|
||||||
/* Minimal error checking. Ignore cases we know about, and report the rest. */
|
/* Minimal error checking. Ignore cases we know about, and report the rest. */
|
||||||
if (driver_byte(result) != 0) {
|
if (driver_byte(result) != 0) {
|
||||||
switch (sshdr.sense_key) {
|
switch (sshdr.sense_key) {
|
||||||
|
|
Loading…
Reference in a new issue