diff options
author | Tony Battersby <tonyb@cybernetics.com> | 2014-12-08 23:20:52 +0100 |
---|---|---|
committer | Christoph Hellwig <hch@lst.de> | 2014-12-15 10:31:33 +0100 |
commit | 120bb3e1e36da9c1ae6b978c825a28b944a5d7c5 (patch) | |
tree | 06eee79a3f6fea5ac824ff645c62f7af81e1450f | |
parent | Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/... (diff) | |
download | linux-120bb3e1e36da9c1ae6b978c825a28b944a5d7c5.tar.xz linux-120bb3e1e36da9c1ae6b978c825a28b944a5d7c5.zip |
scsi: fix random memory corruption with scsi-mq + T10 PI
This fixes random memory corruption triggered when all three of the
following are true:
* scsi-mq enabled
* T10 Protection Information (DIF) enabled
* SCSI host with sg_tablesize > SCSI_MAX_SG_SEGMENTS (128)
The symptoms of this bug are unpredictable memory corruption, BUG()s,
oopses, lockups, etc., any of which may appear to be completely
unrelated to the root cause.
Cc: <stable@vger.kernel.org> # 3.17.x, 3.18.x
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Reviewed-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
-rw-r--r-- | drivers/scsi/scsi_lib.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 43318d556cbc..9ea95dd3e260 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1918,7 +1918,9 @@ static int scsi_mq_prep_fn(struct request *req) if (scsi_host_get_prot(shost)) { cmd->prot_sdb = (void *)sg + - shost->sg_tablesize * sizeof(struct scatterlist); + min_t(unsigned int, + shost->sg_tablesize, SCSI_MAX_SG_SEGMENTS) * + sizeof(struct scatterlist); memset(cmd->prot_sdb, 0, sizeof(struct scsi_data_buffer)); cmd->prot_sdb->table.sgl = |