cc29a1b0a3
scsi_mq_setup_tags(), which is called by scsi_add_host(), calculates the command size to allocate based on the prot_capabilities. In the isci driver, scsi_host_set_prot() is called after scsi_add_host() so the command size gets calculated to be smaller than it needs to be. Eventually, scsi_mq_init_request() locates the 'prot_sdb' after the command assuming it was sized correctly and a buffer overrun may occur. However, seeing blk_mq_alloc_rqs() rounds up to the nearest cache line size, the mistake can go unnoticed. The bug was noticed after the struct request size was reduced by commit |
||
---|---|---|
.. | ||
host.c | ||
host.h | ||
init.c | ||
isci.h | ||
Makefile | ||
phy.c | ||
phy.h | ||
port_config.c | ||
port.c | ||
port.h | ||
probe_roms.c | ||
probe_roms.h | ||
registers.h | ||
remote_device.c | ||
remote_device.h | ||
remote_node_context.c | ||
remote_node_context.h | ||
remote_node_table.c | ||
remote_node_table.h | ||
request.c | ||
request.h | ||
sas.h | ||
scu_completion_codes.h | ||
scu_event_codes.h | ||
scu_remote_node_context.h | ||
scu_task_context.h | ||
task.c | ||
task.h | ||
unsolicited_frame_control.c | ||
unsolicited_frame_control.h |