On 03/06/20 14:39, Ye Bin wrote: > if (!scsi_sg_count(scmd) || scsi_sglist(scmd)->length < len) > goto invalid_param_len; > > - p = page_address(sg_page(scsi_sglist(scmd))); > - > /* Move past header and block descriptors. */ > if (len < hdr_len) > goto invalid_param_len; > > + if (sg_copy_to_buffer(scsi_sglist(scmd), scsi_sg_count(scmd), > + buffer, 64) != 64) > + goto invalid_param_len; > + > if (six_byte) > bd_len = p[3]; > else You should not check that the number of copied bytes is 64; it will be less than that in most cases (because CACHE_MPAGE_LEN+8+8+4-2 is less than 64). How did you test this patch? Thanks, Paolo