summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTony Battersby <tonyb@cybernetics.com>2014-12-08 23:20:52 +0100
committerChristoph Hellwig <hch@lst.de>2014-12-15 10:31:33 +0100
commit120bb3e1e36da9c1ae6b978c825a28b944a5d7c5 (patch)
tree06eee79a3f6fea5ac824ff645c62f7af81e1450f
parentMerge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/... (diff)
downloadlinux-120bb3e1e36da9c1ae6b978c825a28b944a5d7c5.tar.xz
linux-120bb3e1e36da9c1ae6b978c825a28b944a5d7c5.zip
scsi: fix random memory corruption with scsi-mq + T10 PI
This fixes random memory corruption triggered when all three of the following are true: * scsi-mq enabled * T10 Protection Information (DIF) enabled * SCSI host with sg_tablesize > SCSI_MAX_SG_SEGMENTS (128) The symptoms of this bug are unpredictable memory corruption, BUG()s, oopses, lockups, etc., any of which may appear to be completely unrelated to the root cause. Cc: <stable@vger.kernel.org> # 3.17.x, 3.18.x Signed-off-by: Tony Battersby <tonyb@cybernetics.com> Reviewed-by: Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by: Christoph Hellwig <hch@lst.de>
-rw-r--r--drivers/scsi/scsi_lib.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 43318d556cbc..9ea95dd3e260 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1918,7 +1918,9 @@ static int scsi_mq_prep_fn(struct request *req)
if (scsi_host_get_prot(shost)) {
cmd->prot_sdb = (void *)sg +
- shost->sg_tablesize * sizeof(struct scatterlist);
+ min_t(unsigned int,
+ shost->sg_tablesize, SCSI_MAX_SG_SEGMENTS) *
+ sizeof(struct scatterlist);
memset(cmd->prot_sdb, 0, sizeof(struct scsi_data_buffer));
cmd->prot_sdb->table.sgl =