summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJames Bottomley <jejb@mulgrave.il.steeleye.com>2006-03-07 23:53:40 +0300
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>2006-03-07 23:53:40 +0300
commite12f0a3dec17de3d847f533ba81ad6956c9da5fd (patch)
treedb7c3936468c363d5ba710c6b6e2612a2a734964
parent5e6575c051f3313feb9fe1aad61263b3560df5cc (diff)
downloadlinux-e12f0a3dec17de3d847f533ba81ad6956c9da5fd.tar.xz
[SCSI] sr: partial revert of 24669f75a3231fa37444977c92d1f4838bec1233
The patch [SCSI] SCSI core kmalloc2kzalloc Has an incorrect piece in sr_ioctl.c; it changes buffer from kmalloc to kzalloc, but then removes the clearing of the stack variable struct packet_command. This, in turn leaves rubbish in the sense pointer which the sr_do_ioctl() command then happily writes to ... oops. Thanks to Mike Christie <michaelc@cs.wisc.edu> for spotting this. Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
-rw-r--r--drivers/scsi/sr_ioctl.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 03fbc4b44473..5d02ff4db6cc 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -44,10 +44,11 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi,
int result;
unsigned char *buffer;
- buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
+ buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
if (!buffer)
return -ENOMEM;
+ memset(&cgc, 0, sizeof(struct packet_command));
cgc.timeout = IOCTL_TIMEOUT;
cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
cgc.cmd[8] = 12; /* LSB of length */
@@ -73,10 +74,11 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi,
int result;
unsigned char *buffer;
- buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
+ buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
if (!buffer)
return -ENOMEM;
+ memset(&cgc, 0, sizeof(struct packet_command));
cgc.timeout = IOCTL_TIMEOUT;
cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;