From: Chris Wright Date: Mon, 27 Feb 2006 20:20:14 +0000 (-0800) Subject: Add fix for memory corruption with buggy sbp2 disks, fwd from Stefan Richter X-Git-Tag: v2.6.15.5~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0bec1fe08636cce11e38afd69397bf87497213d8;p=thirdparty%2Fkernel%2Fstable-queue.git Add fix for memory corruption with buggy sbp2 disks, fwd from Stefan Richter --- diff --git a/queue/sd-fix-memory-corruption-with-broken-mode-page-headers.patch b/queue/sd-fix-memory-corruption-with-broken-mode-page-headers.patch new file mode 100644 index 00000000000..79b67224206 --- /dev/null +++ b/queue/sd-fix-memory-corruption-with-broken-mode-page-headers.patch @@ -0,0 +1,97 @@ +From stable-bounces@linux.kernel.org Sun Feb 26 15:21:33 2006 +Date: Mon, 27 Feb 2006 00:16:10 +0100 (CET) +From: Stefan Richter +To: stable@kernel.org +Cc: James Bottomley , linux-kernel@vger.kernel.org, Al Viro +Subject: [PATCH] sd: fix memory corruption with broken mode page headers + +sd: fix memory corruption with broken mode page headers + +There's a problem in sd where we blindly believe the length of the +headers and block descriptors. Some devices return insane values for +these and cause our length to end up greater than the actual buffer +size, so check to make sure. + +Signed-off-by: Al Viro + +Also removed the buffer size magic number (512) and added DPOFUA of +zero to the defaults + +Signed-off-by: James Bottomley +Signed-off-by: Linus Torvalds + +rediff for 2.6.15.x without DPOFUA bit, taken from commit +489708007785389941a89fa06aedc5ec53303c96 + +Signed-off-by: Stefan Richter +Signed-off-by: Chris Wright +--- +fixes http://bugzilla.kernel.org/show_bug.cgi?id=6114 and +http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182005 + + drivers/scsi/sd.c | 19 ++++++++++++++++--- + 1 files changed, 16 insertions(+), 3 deletions(-) + +--- linux-2.6.15.4.orig/drivers/scsi/sd.c ++++ linux-2.6.15.4/drivers/scsi/sd.c +@@ -88,6 +88,11 @@ + #define SD_MAX_RETRIES 5 + #define SD_PASSTHROUGH_RETRIES 1 + ++/* ++ * Size of the initial data buffer for mode and read capacity data ++ */ ++#define SD_BUF_SIZE 512 ++ + static void scsi_disk_release(struct kref *kref); + + struct scsi_disk { +@@ -1299,7 +1304,7 @@ sd_do_mode_sense(struct scsi_device *sdp + + /* + * read write protect setting, if possible - called only in sd_revalidate_disk() +- * called with buffer of length 512 ++ * called with buffer of length SD_BUF_SIZE + */ + static void + sd_read_write_protect_flag(struct scsi_disk *sdkp, char *diskname, +@@ -1357,7 +1362,7 @@ sd_read_write_protect_flag(struct scsi_d + + /* + * sd_read_cache_type - called only from sd_revalidate_disk() +- * called with buffer of length 512 ++ * called with buffer of length SD_BUF_SIZE + */ + static void + sd_read_cache_type(struct scsi_disk *sdkp, char *diskname, +@@ -1402,6 +1407,8 @@ sd_read_cache_type(struct scsi_disk *sdk + + /* Take headers and block descriptors into account */ + len += data.header_length + data.block_descriptor_length; ++ if (len > SD_BUF_SIZE) ++ goto bad_sense; + + /* Get the data */ + res = sd_do_mode_sense(sdp, dbd, modepage, buffer, len, &data, &sshdr); +@@ -1414,6 +1421,12 @@ sd_read_cache_type(struct scsi_disk *sdk + int ct = 0; + int offset = data.header_length + data.block_descriptor_length; + ++ if (offset >= SD_BUF_SIZE - 2) { ++ printk(KERN_ERR "%s: malformed MODE SENSE response", ++ diskname); ++ goto defaults; ++ } ++ + if ((buffer[offset] & 0x3f) != modepage) { + printk(KERN_ERR "%s: got wrong page\n", diskname); + goto defaults; +@@ -1472,7 +1485,7 @@ static int sd_revalidate_disk(struct gen + if (!scsi_device_online(sdp)) + goto out; + +- buffer = kmalloc(512, GFP_KERNEL | __GFP_DMA); ++ buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL | __GFP_DMA); + if (!buffer) { + printk(KERN_WARNING "(sd_revalidate_disk:) Memory allocation " + "failure.\n"); diff --git a/queue/series b/queue/series index 24fb47f91ba..ccae94f9d1d 100644 --- a/queue/series +++ b/queue/series @@ -32,3 +32,4 @@ skge-genesis-phy-initialization-fix.patch skge-fix-smp-race.patch x86_64-check-for-bad-elf-entry-address.patch fix-a-severe-bug.patch +sd-fix-memory-corruption-with-broken-mode-page-headers.patch