Date: Thu, 16 Jul 2009 19:48:39 +0000 (UTC) From: Alexander Motin <mav@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r195724 - head/sys/dev/ata Message-ID: <200907161948.n6GJmdV5038391@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mav Date: Thu Jul 16 19:48:39 2009 New Revision: 195724 URL: http://svn.freebsd.org/changeset/base/195724 Log: Limit IOCATAREQUEST ioctl data size to controller's maximum I/O size. It fixes kernel panic when requested size is too large (0xffffffff), PR: kern/136726 Approved by: re (kib) MFC after: 2 weeks Modified: head/sys/dev/ata/ata-all.c Modified: head/sys/dev/ata/ata-all.c ============================================================================== --- head/sys/dev/ata/ata-all.c Thu Jul 16 17:31:23 2009 (r195723) +++ head/sys/dev/ata/ata-all.c Thu Jul 16 19:48:39 2009 (r195724) @@ -472,6 +472,7 @@ int ata_device_ioctl(device_t dev, u_long cmd, caddr_t data) { struct ata_device *atadev = device_get_softc(dev); + struct ata_channel *ch = device_get_softc(device_get_parent(dev)); struct ata_ioc_request *ioc_request = (struct ata_ioc_request *)data; struct ata_params *params = (struct ata_params *)data; int *mode = (int *)data; @@ -481,6 +482,10 @@ ata_device_ioctl(device_t dev, u_long cm switch (cmd) { case IOCATAREQUEST: + if (ioc_request->count > + (ch->dma.max_iosize ? ch->dma.max_iosize : DFLTPHYS)) { + return (EFBIG); + } if (!(buf = malloc(ioc_request->count, M_ATA, M_NOWAIT))) { return ENOMEM; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907161948.n6GJmdV5038391>