Merge master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 into next

author: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2008-07-21 04:55:14 (GMT)
committer: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2008-07-21 04:55:14 (GMT)
commit: 908cf4b925e419bc74f3297b2f0e51d6f8a81da2 (patch)
tree: 6c2da79366d4695a9c2560ab18259eca8a2a25b4 /drivers/scsi/aacraid/commctrl.c
parent: 92c49890922d54cba4b1eadeb0b185773c2c9570 (diff)
parent: 14b395e35d1afdd8019d11b92e28041fad591b71 (diff)
download: linux-fsl-qoriq-908cf4b925e419bc74f3297b2f0e51d6f8a81da2.tar.xz
1 files changed, 33 insertions, 0 deletions
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index 5fd83de..a735526 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -41,6 +41,7 @@
 #include <linux/kthread.h>
 #include <linux/semaphore.h>
 #include <asm/uaccess.h>
+#include <scsi/scsi_host.h>
 
 #include "aacraid.h"
 
@@ -581,6 +582,14 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
 			for (i = 0; i < upsg->count; i++) {
 				u64 addr;
 				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(upsg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -625,6 +634,14 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
 			for (i = 0; i < usg->count; i++) {
 				u64 addr;
 				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -667,6 +684,14 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
 			for (i = 0; i < upsg->count; i++) {
 				uintptr_t addr;
 				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -698,6 +723,14 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
 			for (i = 0; i < upsg->count; i++) {
 				dma_addr_t addr;
 				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				p = kmalloc(upsg->sg[i].count, GFP_KERNEL);
 				if (!p) {
 					dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
author	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2008-07-21 04:55:14 (GMT)
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2008-07-21 04:55:14 (GMT)
commit	908cf4b925e419bc74f3297b2f0e51d6f8a81da2 (patch)
tree	6c2da79366d4695a9c2560ab18259eca8a2a25b4 /drivers/scsi/aacraid/commctrl.c
parent	92c49890922d54cba4b1eadeb0b185773c2c9570 (diff)
parent	14b395e35d1afdd8019d11b92e28041fad591b71 (diff)
download	linux-fsl-qoriq-908cf4b925e419bc74f3297b2f0e51d6f8a81da2.tar.xz