James/Linux-scsi,
The following patch from Bjorn Mork for megaraid_sas sanity checks the
user supplied length in
megasas_mgmt_fw_ioctl() to prevent a null pointer dereference in
dma_alloc_coherent() while running
smartmontools.
Signed-off-by: Adam Radford <aradford@xxxxxxxxx>
diff -Naur linux-2.6.38-rc5/drivers/scsi/megaraid/megaraid_sas_base.c
linux-2.6.38-rc5.new/drivers/scsi/megaraid/megaraid_sas_base.c
--- linux-2.6.38-rc5/drivers/scsi/megaraid/megaraid_sas_base.c 2011-02-19
14:07:13.455395141 -0800
+++ linux-2.6.38-rc5.new/drivers/scsi/megaraid/megaraid_sas_base.c 2011-02-19
14:08:31.914332199 -0800
@@ -4630,6 +4630,11 @@
* For each user buffer, create a mirror buffer and copy in
*/
for (i = 0; i < ioc->sge_count; i++) {
+ if (ioc->sgl[i].iov_len == 0) {
+ kbuff_arr[i] = NULL;
+ continue;
+ }
+
kbuff_arr[i] = dma_alloc_coherent(&instance->pdev->dev,
ioc->sgl[i].iov_len,
&buf_handle, GFP_KERNEL);
Attachment:
megaraid_sas.patch7
Description: Binary data
