From e12f0a3dec17de3d847f533ba81ad6956c9da5fd Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Tue, 7 Mar 2006 14:53:40 -0600 Subject: [PATCH] [SCSI] sr: partial revert of 24669f75a3231fa37444977c92d1f4838bec1233 The patch [SCSI] SCSI core kmalloc2kzalloc Has an incorrect piece in sr_ioctl.c; it changes buffer from kmalloc to kzalloc, but then removes the clearing of the stack variable struct packet_command. This, in turn leaves rubbish in the sense pointer which the sr_do_ioctl() command then happily writes to ... oops. Thanks to Mike Christie for spotting this. Signed-off-by: James Bottomley --- drivers/scsi/sr_ioctl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 03fbc4b44473..5d02ff4db6cc 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -44,10 +44,11 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; + memset(&cgc, 0, sizeof(struct packet_command)); cgc.timeout = IOCTL_TIMEOUT; cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP; cgc.cmd[8] = 12; /* LSB of length */ @@ -73,10 +74,11 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; + memset(&cgc, 0, sizeof(struct packet_command)); cgc.timeout = IOCTL_TIMEOUT; cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP; cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;