From: Tony Battersby Date: Mon, 8 Dec 2014 22:20:52 +0000 (-0500) Subject: scsi: fix random memory corruption with scsi-mq + T10 PI X-Git-Tag: firefly_0821_release~176^2~2603^2~2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=120bb3e1e36da9c1ae6b978c825a28b944a5d7c5;p=firefly-linux-kernel-4.4.55.git scsi: fix random memory corruption with scsi-mq + T10 PI This fixes random memory corruption triggered when all three of the following are true: * scsi-mq enabled * T10 Protection Information (DIF) enabled * SCSI host with sg_tablesize > SCSI_MAX_SG_SEGMENTS (128) The symptoms of this bug are unpredictable memory corruption, BUG()s, oopses, lockups, etc., any of which may appear to be completely unrelated to the root cause. Cc: # 3.17.x, 3.18.x Signed-off-by: Tony Battersby Reviewed-by: Nicholas Bellinger Signed-off-by: Christoph Hellwig --- diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 43318d556cbc..9ea95dd3e260 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1918,7 +1918,9 @@ static int scsi_mq_prep_fn(struct request *req) if (scsi_host_get_prot(shost)) { cmd->prot_sdb = (void *)sg + - shost->sg_tablesize * sizeof(struct scatterlist); + min_t(unsigned int, + shost->sg_tablesize, SCSI_MAX_SG_SEGMENTS) * + sizeof(struct scatterlist); memset(cmd->prot_sdb, 0, sizeof(struct scsi_data_buffer)); cmd->prot_sdb->table.sgl =