diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-09-02 12:22:54 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-09-02 12:22:54 -0700 |
| commit | df910390e2db07a76c87f258475f6c96253cee6c (patch) | |
| tree | d522f0f098688c330014c5d78be6b3e74de87b7e /drivers/message/fusion/mptctl.c | |
| parent | 91a247d7d3694a161092931ea4e0b13c11b8e9a0 (diff) | |
| parent | 9f55bca2b82a77a3cc3204900db2fc40ab30019e (diff) | |
| download | linux-df910390e2db07a76c87f258475f6c96253cee6c.tar.gz linux-df910390e2db07a76c87f258475f6c96253cee6c.tar.bz2 linux-df910390e2db07a76c87f258475f6c96253cee6c.zip | |
Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull first round of SCSI updates from James Bottomley:
"This includes one new driver: cxlflash plus the usual grab bag of
updates for the major drivers: qla2xxx, ipr, storvsc, pm80xx, hptiop,
plus a few assorted fixes.
There's another tranch coming, but I want to incubate it another few
days in the checkers, plus it includes a mpt2sas separated lifetime
fix, which Avago won't get done testing until Friday"
* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (85 commits)
aic94xx: set an error code on failure
storvsc: Set the error code correctly in failure conditions
storvsc: Allow write_same when host is windows 10
storvsc: use storage protocol version to determine storage capabilities
storvsc: use correct defaults for values determined by protocol negotiation
storvsc: Untangle the storage protocol negotiation from the vmbus protocol negotiation.
storvsc: Use a single value to track protocol versions
storvsc: Rather than look for sets of specific protocol versions, make decisions based on ranges.
cxlflash: Remove unused variable from queuecommand
cxlflash: shift wrapping bug in afu_link_reset()
cxlflash: off by one bug in cxlflash_show_port_status()
cxlflash: Virtual LUN support
cxlflash: Superpipe support
cxlflash: Base error recovery support
qla2xxx: Update driver version to 8.07.00.26-k
qla2xxx: Add pci device id 0x2261.
qla2xxx: Fix missing device login retries.
qla2xxx: do not clear slot in outstanding cmd array
qla2xxx: Remove decrement of sp reference count in abort handler.
qla2xxx: Add support to show MPI and PEP FW version for ISP27xx.
...
Diffstat (limited to 'drivers/message/fusion/mptctl.c')
| -rw-r--r-- | drivers/message/fusion/mptctl.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c index 70bb7530b22c..fc7393729081 100644 --- a/drivers/message/fusion/mptctl.c +++ b/drivers/message/fusion/mptctl.c @@ -1859,6 +1859,15 @@ mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr) } spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags); + /* Basic sanity checks to prevent underflows or integer overflows */ + if (karg.maxReplyBytes < 0 || + karg.dataInSize < 0 || + karg.dataOutSize < 0 || + karg.dataSgeOffset < 0 || + karg.maxSenseBytes < 0 || + karg.dataSgeOffset > ioc->req_sz / 4) + return -EINVAL; + /* Verify that the final request frame will not be too large. */ sz = karg.dataSgeOffset * 4; |