diff options
author | James Bottomley <jejb@mulgrave.il.steeleye.com> | 2006-03-07 14:53:40 -0600 |
---|---|---|
committer | James Bottomley <jejb@mulgrave.il.steeleye.com> | 2006-03-07 14:53:40 -0600 |
commit | e12f0a3dec17de3d847f533ba81ad6956c9da5fd (patch) | |
tree | db7c3936468c363d5ba710c6b6e2612a2a734964 | |
parent | 5e6575c051f3313feb9fe1aad61263b3560df5cc (diff) |
[SCSI] sr: partial revert of 24669f75a3231fa37444977c92d1f4838bec1233
The patch
[SCSI] SCSI core kmalloc2kzalloc
Has an incorrect piece in sr_ioctl.c; it changes buffer from kmalloc
to kzalloc, but then removes the clearing of the stack variable struct
packet_command. This, in turn leaves rubbish in the sense pointer
which the sr_do_ioctl() command then happily writes to ... oops.
Thanks to Mike Christie <michaelc@cs.wisc.edu> for spotting this.
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
-rw-r--r-- | drivers/scsi/sr_ioctl.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 03fbc4b4447..5d02ff4db6c 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -44,10 +44,11 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; + memset(&cgc, 0, sizeof(struct packet_command)); cgc.timeout = IOCTL_TIMEOUT; cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP; cgc.cmd[8] = 12; /* LSB of length */ @@ -73,10 +74,11 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; + memset(&cgc, 0, sizeof(struct packet_command)); cgc.timeout = IOCTL_TIMEOUT; cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP; cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0; |