From 120bb3e1e36da9c1ae6b978c825a28b944a5d7c5 Mon Sep 17 00:00:00 2001 From: Tony Battersby Date: Mon, 8 Dec 2014 17:20:52 -0500 Subject: [PATCH] scsi: fix random memory corruption with scsi-mq + T10 PI This fixes random memory corruption triggered when all three of the following are true: * scsi-mq enabled * T10 Protection Information (DIF) enabled * SCSI host with sg_tablesize > SCSI_MAX_SG_SEGMENTS (128) The symptoms of this bug are unpredictable memory corruption, BUG()s, oopses, lockups, etc., any of which may appear to be completely unrelated to the root cause. Cc: # 3.17.x, 3.18.x Signed-off-by: Tony Battersby Reviewed-by: Nicholas Bellinger Signed-off-by: Christoph Hellwig --- drivers/scsi/scsi_lib.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 43318d556cbc..9ea95dd3e260 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1918,7 +1918,9 @@ static int scsi_mq_prep_fn(struct request *req) if (scsi_host_get_prot(shost)) { cmd->prot_sdb = (void *)sg + - shost->sg_tablesize * sizeof(struct scatterlist); + min_t(unsigned int, + shost->sg_tablesize, SCSI_MAX_SG_SEGMENTS) * + sizeof(struct scatterlist); memset(cmd->prot_sdb, 0, sizeof(struct scsi_data_buffer)); cmd->prot_sdb->table.sgl = -- 2.34.1