FreeBSD Mail Archives

Date:      Wed, 8 Jul 2020 19:58:01 +0000 (UTC)
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r363024 - in releng: 11.3/sys/dev/mps 11.4/sys/dev/mps 12.1/sys/dev/mps
Message-ID:  <202007081958.068Jw1E4018233@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: gordon
Date: Wed Jul  8 19:58:00 2020
New Revision: 363024
URL: https://svnweb.freebsd.org/changeset/base/363024

Log:
  Fix kernel panic in mps(4) driver.
  
  Approved by:	so
  Security:	FreeBSD-EN-20:15.mps

Modified:
  releng/11.3/sys/dev/mps/mps_user.c
  releng/11.4/sys/dev/mps/mps_user.c
  releng/12.1/sys/dev/mps/mps_user.c

Modified: releng/11.3/sys/dev/mps/mps_user.c
==============================================================================
--- releng/11.3/sys/dev/mps/mps_user.c	Wed Jul  8 19:57:24 2020	(r363023)
+++ releng/11.3/sys/dev/mps/mps_user.c	Wed Jul  8 19:58:00 2020	(r363024)
@@ -1045,10 +1045,12 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru
 			if (((MPI2_SCSI_IO_REPLY *)rpl)->SCSIState &
 			    MPI2_SCSI_STATE_AUTOSENSE_VALID) {
 				sense_len =
-				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->SenseCount)),
-				    sizeof(struct scsi_sense_data));
+				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->
+				    SenseCount)), sizeof(struct
+				    scsi_sense_data));
 				mps_unlock(sc);
-				copyout(cm->cm_sense, cm->cm_req + 64, sense_len);
+				copyout(cm->cm_sense, (PTRIN(data->PtrReply +
+				    sizeof(MPI2_SCSI_IO_REPLY))), sense_len);
 				mps_lock(sc);
 			}
 		}

Modified: releng/11.4/sys/dev/mps/mps_user.c
==============================================================================
--- releng/11.4/sys/dev/mps/mps_user.c	Wed Jul  8 19:57:24 2020	(r363023)
+++ releng/11.4/sys/dev/mps/mps_user.c	Wed Jul  8 19:58:00 2020	(r363024)
@@ -1036,10 +1036,12 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru
 			if (((MPI2_SCSI_IO_REPLY *)rpl)->SCSIState &
 			    MPI2_SCSI_STATE_AUTOSENSE_VALID) {
 				sense_len =
-				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->SenseCount)),
-				    sizeof(struct scsi_sense_data));
+				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->
+				    SenseCount)), sizeof(struct
+				    scsi_sense_data));
 				mps_unlock(sc);
-				copyout(cm->cm_sense, cm->cm_req + 64, sense_len);
+				copyout(cm->cm_sense, (PTRIN(data->PtrReply +
+				    sizeof(MPI2_SCSI_IO_REPLY))), sense_len);
 				mps_lock(sc);
 			}
 		}

Modified: releng/12.1/sys/dev/mps/mps_user.c
==============================================================================
--- releng/12.1/sys/dev/mps/mps_user.c	Wed Jul  8 19:57:24 2020	(r363023)
+++ releng/12.1/sys/dev/mps/mps_user.c	Wed Jul  8 19:58:00 2020	(r363024)
@@ -1045,10 +1045,12 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru
 			if (((MPI2_SCSI_IO_REPLY *)rpl)->SCSIState &
 			    MPI2_SCSI_STATE_AUTOSENSE_VALID) {
 				sense_len =
-				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->SenseCount)),
-				    sizeof(struct scsi_sense_data));
+				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->
+				    SenseCount)), sizeof(struct
+				    scsi_sense_data));
 				mps_unlock(sc);
-				copyout(cm->cm_sense, cm->cm_req + 64, sense_len);
+				copyout(cm->cm_sense, (PTRIN(data->PtrReply +
+				    sizeof(MPI2_SCSI_IO_REPLY))), sense_len);
 				mps_lock(sc);
 			}
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007081958.068Jw1E4018233>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation