Re: Slab corruption in 2.6.16-rc5-mm2
From: Linus Torvalds
Date: Mon Mar 06 2006 - 16:05:40 EST
On Mon, 6 Mar 2006, Jesper Juhl wrote:
>
> Hmm, is it just me or should that len= have read len=96 ???
>
> This is the change I made :
>
> --- linux-2.6.16-rc5-mm2/block/scsi_ioctl.c~ 2006-03-06
> 21:43:56.000000000 +0100
> +++ linux-2.6.16-rc5-mm2/block/scsi_ioctl.c 2006-03-06
> 21:43:56.000000000 +0100
> @@ -568,7 +568,7 @@ int scsi_cmd_ioctl(struct file *file, st
> hdr.dxferp = cgc.buffer;
> hdr.sbp = cgc.sense;
> if (hdr.sbp)
> - hdr.mx_sb_len = sizeof(struct request_sense);
> + hdr.mx_sb_len = SCSI_SENSE_BUFFERSIZE;
> hdr.timeout = cgc.timeout;
> hdr.cmdp = ((struct cdrom_generic_command __user*) arg)->cmd;
> hdr.cmd_len = sizeof(cgc.cmd);
>
> did I mess up?
That's not the one to change. It's the one in "sr_do_ioctl()", where it
uses "sizeof(*sense)".
Linus
----
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 5d02ff4..b65462f 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -192,7 +192,7 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack
SDev = cd->device;
if (!sense) {
- sense = kmalloc(sizeof(*sense), GFP_KERNEL);
+ sense = kmalloc(SCSI_SENSE_BUFFERSIZE, GFP_KERNEL);
if (!sense) {
err = -ENOMEM;
goto out;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/