summaryrefslogtreecommitdiffstats
path: root/drivers/scsi/aic94xx
diff options
context:
space:
mode:
authorDan Williams <dan.j.williams@intel.com>2012-06-22 19:52:34 +0200
committerJames Bottomley <JBottomley@Parallels.com>2012-07-08 10:49:14 +0200
commit6ef1b512f4e6f936d89aa20be3d97a7ec7c290ac (patch)
treede2a0d0a74d2f0cdab456766fa77c5ec60487771 /drivers/scsi/aic94xx
parent[SCSI] Fix NULL dereferences in scsi_cmd_to_driver (diff)
downloadlinux-6ef1b512f4e6f936d89aa20be3d97a7ec7c290ac.tar.xz
linux-6ef1b512f4e6f936d89aa20be3d97a7ec7c290ac.zip
[SCSI] libsas: fix taskfile corruption in sas_ata_qc_fill_rtf
fill_result_tf() grabs the taskfile flags from the originating qc which sas_ata_qc_fill_rtf() promptly overwrites. The presence of an ata_taskfile in the sata_device makes it tempting to just copy the full contents in sas_ata_qc_fill_rtf(). However, libata really only wants the fis contents and expects the other portions of the taskfile to not be touched by ->qc_fill_rtf. To that end store a fis buffer in the sata_device and use ata_tf_from_fis() like every other ->qc_fill_rtf() implementation. Cc: <stable@vger.kernel.org> Reported-by: Praveen Murali <pmurali@logicube.com> Tested-by: Praveen Murali <pmurali@logicube.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers/scsi/aic94xx')
-rw-r--r--drivers/scsi/aic94xx/aic94xx_task.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/aic94xx/aic94xx_task.c b/drivers/scsi/aic94xx/aic94xx_task.c
index 532d212b6b2c..393e7ce8e95a 100644
--- a/drivers/scsi/aic94xx/aic94xx_task.c
+++ b/drivers/scsi/aic94xx/aic94xx_task.c
@@ -201,7 +201,7 @@ static void asd_get_response_tasklet(struct asd_ascb *ascb,
if (SAS_STATUS_BUF_SIZE >= sizeof(*resp)) {
resp->frame_len = le16_to_cpu(*(__le16 *)(r+6));
- memcpy(&resp->ending_fis[0], r+16, 24);
+ memcpy(&resp->ending_fis[0], r+16, ATA_RESP_FIS_SIZE);
ts->buf_valid_size = sizeof(*resp);
}
}