1 From stable-bounces@linux.kernel.org Sun Feb 26 15:21:33 2006
2 Date: Mon, 27 Feb 2006 00:16:10 +0100 (CET)
3 From: Stefan Richter <stefanr@s5r6.in-berlin.de>
5 Cc: James Bottomley <James.Bottomley@SteelEye.com>, linux-kernel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>
6 Subject: [PATCH] sd: fix memory corruption with broken mode page headers
8 sd: fix memory corruption with broken mode page headers
10 There's a problem in sd where we blindly believe the length of the
11 headers and block descriptors. Some devices return insane values for
12 these and cause our length to end up greater than the actual buffer
13 size, so check to make sure.
15 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
17 Also removed the buffer size magic number (512) and added DPOFUA of
20 Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
21 Signed-off-by: Linus Torvalds <torvalds@osdl.org>
23 rediff for 2.6.15.x without DPOFUA bit, taken from commit
24 489708007785389941a89fa06aedc5ec53303c96
26 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
27 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
29 fixes http://bugzilla.kernel.org/show_bug.cgi?id=6114 and
30 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182005
32 drivers/scsi/sd.c | 19 ++++++++++++++++---
33 1 files changed, 16 insertions(+), 3 deletions(-)
35 --- linux-2.6.15.4.orig/drivers/scsi/sd.c
36 +++ linux-2.6.15.4/drivers/scsi/sd.c
38 #define SD_MAX_RETRIES 5
39 #define SD_PASSTHROUGH_RETRIES 1
42 + * Size of the initial data buffer for mode and read capacity data
44 +#define SD_BUF_SIZE 512
46 static void scsi_disk_release(struct kref *kref);
49 @@ -1299,7 +1304,7 @@ sd_do_mode_sense(struct scsi_device *sdp
52 * read write protect setting, if possible - called only in sd_revalidate_disk()
53 - * called with buffer of length 512
54 + * called with buffer of length SD_BUF_SIZE
57 sd_read_write_protect_flag(struct scsi_disk *sdkp, char *diskname,
58 @@ -1357,7 +1362,7 @@ sd_read_write_protect_flag(struct scsi_d
61 * sd_read_cache_type - called only from sd_revalidate_disk()
62 - * called with buffer of length 512
63 + * called with buffer of length SD_BUF_SIZE
66 sd_read_cache_type(struct scsi_disk *sdkp, char *diskname,
67 @@ -1402,6 +1407,8 @@ sd_read_cache_type(struct scsi_disk *sdk
69 /* Take headers and block descriptors into account */
70 len += data.header_length + data.block_descriptor_length;
71 + if (len > SD_BUF_SIZE)
75 res = sd_do_mode_sense(sdp, dbd, modepage, buffer, len, &data, &sshdr);
76 @@ -1414,6 +1421,12 @@ sd_read_cache_type(struct scsi_disk *sdk
78 int offset = data.header_length + data.block_descriptor_length;
80 + if (offset >= SD_BUF_SIZE - 2) {
81 + printk(KERN_ERR "%s: malformed MODE SENSE response",
86 if ((buffer[offset] & 0x3f) != modepage) {
87 printk(KERN_ERR "%s: got wrong page\n", diskname);
89 @@ -1472,7 +1485,7 @@ static int sd_revalidate_disk(struct gen
90 if (!scsi_device_online(sdp))
93 - buffer = kmalloc(512, GFP_KERNEL | __GFP_DMA);
94 + buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL | __GFP_DMA);
96 printk(KERN_WARNING "(sd_revalidate_disk:) Memory allocation "