* [PATCH] libata: zpodd: small read overflow in eject_tray()
@ 2018-05-29 9:13 Dan Carpenter
2018-05-29 13:50 ` Tejun Heo
2018-05-30 6:20 ` Aaron Lu
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2018-05-29 9:13 UTC (permalink / raw)
To: kernel-janitors
We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
Fixes: 213342053db5 ("libata: handle power transition of ODD")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
index de4ddd0e8550..b3ed8f9953a8 100644
--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -35,7 +35,7 @@ struct zpodd {
static int eject_tray(struct ata_device *dev)
{
struct ata_taskfile tf;
- static const char cdb[] = { GPCMD_START_STOP_UNIT,
+ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT,
0, 0, 0,
0x02, /* LoEj */
0, 0, 0, 0, 0, 0, 0,
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libata: zpodd: small read overflow in eject_tray()
2018-05-29 9:13 [PATCH] libata: zpodd: small read overflow in eject_tray() Dan Carpenter
@ 2018-05-29 13:50 ` Tejun Heo
2018-05-30 6:20 ` Aaron Lu
1 sibling, 0 replies; 3+ messages in thread
From: Tejun Heo @ 2018-05-29 13:50 UTC (permalink / raw)
To: kernel-janitors
On Tue, May 29, 2018 at 12:13:24PM +0300, Dan Carpenter wrote:
> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
>
> Fixes: 213342053db5 ("libata: handle power transition of ODD")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied to libata/for-4.17-fixes w/ stable cc'd.
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] libata: zpodd: small read overflow in eject_tray()
2018-05-29 9:13 [PATCH] libata: zpodd: small read overflow in eject_tray() Dan Carpenter
2018-05-29 13:50 ` Tejun Heo
@ 2018-05-30 6:20 ` Aaron Lu
1 sibling, 0 replies; 3+ messages in thread
From: Aaron Lu @ 2018-05-30 6:20 UTC (permalink / raw)
To: kernel-janitors
On Tue, May 29, 2018 at 12:13:24PM +0300, Dan Carpenter wrote:
> We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
> ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
Thanks for the fix!
>
> Fixes: 213342053db5 ("libata: handle power transition of ODD")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
> index de4ddd0e8550..b3ed8f9953a8 100644
> --- a/drivers/ata/libata-zpodd.c
> +++ b/drivers/ata/libata-zpodd.c
> @@ -35,7 +35,7 @@ struct zpodd {
> static int eject_tray(struct ata_device *dev)
> {
> struct ata_taskfile tf;
> - static const char cdb[] = { GPCMD_START_STOP_UNIT,
> + static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT,
> 0, 0, 0,
> 0x02, /* LoEj */
> 0, 0, 0, 0, 0, 0, 0,
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-05-30 6:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-29 9:13 [PATCH] libata: zpodd: small read overflow in eject_tray() Dan Carpenter
2018-05-29 13:50 ` Tejun Heo
2018-05-30 6:20 ` Aaron Lu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.