From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: MIME-Version: 1.0 Message-Id: <20120301213925.010712470@linuxfoundation.org> Date: Thu, 01 Mar 2012 13:39:39 -0800 From: Greg KH To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Adam Radford , James Bottomley , Ben Hutchings Subject: [ 17/34] SCSI: 3w-9xxx fix bug in sgl loading In-Reply-To: <20120301214654.GA13231@kroah.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: 2.6.32-longterm review patch. If anyone has any objections, please let me know. ------------------ From: adam radford commit 53ca353594a254e6bd45ccf2d405aa31bcbb7091 upstream. This small patch fixes a bug in the 3w-9xxx driver where it would load an invalid sgl address in the ioctl path even if request length was zero. Signed-off-by: Adam Radford Signed-off-by: James Bottomley Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/3w-9xxx.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/drivers/scsi/3w-9xxx.c +++ b/drivers/scsi/3w-9xxx.c @@ -76,6 +76,7 @@ Fix bug in twa_get_param() on 4GB+. Use pci_resource_len() for ioremap(). 2.26.02.012 - Add power management support. + 2.26.02.013 - Fix bug in twa_load_sgl(). */ #include @@ -100,7 +101,7 @@ #include "3w-9xxx.h" /* Globals */ -#define TW_DRIVER_VERSION "2.26.02.012" +#define TW_DRIVER_VERSION "2.26.02.013" static TW_Device_Extension *twa_device_extension_list[TW_MAX_SLOT]; static unsigned int twa_device_extension_count; static int twa_major = -1; @@ -1378,10 +1379,12 @@ static void twa_load_sgl(TW_Device_Exten newcommand = &full_command_packet->command.newcommand; newcommand->request_id__lunl = cpu_to_le16(TW_REQ_LUN_IN(TW_LUN_OUT(newcommand->request_id__lunl), request_id)); - newcommand->sg_list[0].address = TW_CPU_TO_SGL(dma_handle + sizeof(TW_Ioctl_Buf_Apache) - 1); - newcommand->sg_list[0].length = cpu_to_le32(length); + if (length) { + newcommand->sg_list[0].address = TW_CPU_TO_SGL(dma_handle + sizeof(TW_Ioctl_Buf_Apache) - 1); + newcommand->sg_list[0].length = cpu_to_le32(length); + } newcommand->sgl_entries__lunh = - cpu_to_le16(TW_REQ_LUN_IN(TW_LUN_OUT(newcommand->sgl_entries__lunh), 1)); + cpu_to_le16(TW_REQ_LUN_IN(TW_LUN_OUT(newcommand->sgl_entries__lunh), length ? 1 : 0)); } else { oldcommand = &full_command_packet->command.oldcommand; oldcommand->request_id = request_id;