From: James Bottomley Date: Tue, 7 Mar 2006 20:53:40 +0000 (-0600) Subject: [SCSI] sr: partial revert of 24669f75a3231fa37444977c92d1f4838bec1233 X-Git-Tag: v2.6.17-rc1~1129^2~4^2~76 X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=e12f0a3dec17de3d847f533ba81ad6956c9da5fd;p=linux-2.6-omap-h63xx.git [SCSI] sr: partial revert of 24669f75a3231fa37444977c92d1f4838bec1233 The patch [SCSI] SCSI core kmalloc2kzalloc Has an incorrect piece in sr_ioctl.c; it changes buffer from kmalloc to kzalloc, but then removes the clearing of the stack variable struct packet_command. This, in turn leaves rubbish in the sense pointer which the sr_do_ioctl() command then happily writes to ... oops. Thanks to Mike Christie for spotting this. Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 03fbc4b4447..5d02ff4db6c 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -44,10 +44,11 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; + memset(&cgc, 0, sizeof(struct packet_command)); cgc.timeout = IOCTL_TIMEOUT; cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP; cgc.cmd[8] = 12; /* LSB of length */ @@ -73,10 +74,11 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; + memset(&cgc, 0, sizeof(struct packet_command)); cgc.timeout = IOCTL_TIMEOUT; cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP; cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;