On Fri, 8 Feb 2008 11:46:13 -0500 (EST) Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > On Tue, 5 Feb 2008, Matthew Dharm wrote: > > > We both agree that the code shouldn't run off the end of the s-g > > list. > > Incidentally, if people want a simple bugfix patch for 2.6.24.stable, > this should do it. Mark, can you confirm that this patch alone fixes > the problem? Confirmed: works just fine. Tested-by: Mark Glines <mark@xxxxxxxxxx> > > Alan Stern > > > > Index: 2.6.24/drivers/usb/storage/protocol.c > =================================================================== > --- 2.6.24.orig/drivers/usb/storage/protocol.c > +++ 2.6.24/drivers/usb/storage/protocol.c > @@ -194,7 +194,7 @@ unsigned int usb_stor_access_xfer_buf(un > * and the starting offset within the page, and > update > * the *offset and *index values for the next loop. > */ cnt = 0; > - while (cnt < buflen) { > + while (cnt < buflen && sg) { > struct page *page = sg_page(sg) + > ((sg->offset + *offset) >> > PAGE_SHIFT); unsigned int poff = > @@ -249,6 +249,7 @@ void usb_stor_set_xfer_buf(unsigned char > unsigned int offset = 0; > struct scatterlist *sg = NULL; > > + buflen = min(buflen, srb->request_bufflen); > usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset, > TO_XFER_BUF); > if (buflen < srb->request_bufflen) > - To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html