From: David Jeffery <djeffery@redhat.com>
Date: Mon, 28 Sep 2009 17:54:24 +0000 (-0400)
Subject: [SCSI] st: fix possible memory use after free after MTSETBLK ioctl
X-Git-Tag: v2.6.32-rc4~9^2~1
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c2ed8bfd899b84ecbf71d28fcc2cc4ace36c8d9;p=pandora-kernel.git

[SCSI] st: fix possible memory use after free after MTSETBLK ioctl

A memory use after free bug can manifest if the MTSETBLK or SET_DENS_AND_BLK
ioctl features are used to set the tape's blocksize from 0 to non-zero.
After the driver sets the new block size, in this one case it calls
normalize_buffer() to free the device's internal data buffers.  However, the
ioctl code assumes there is always a buffer and does not check or allocate
a buffer if there isn't one.  So any following ioctl calls can corrupt
a part of memory by writing data to memory that the st driver had freed.

This patch removes the normalize_buffer() call and the specialness of
changing from a 0 to non-zero blocksize to fix the possible use of
memory after it has been freed by the st driver.

signed-off-by: David Jeffery <djeffery@redhat.com>
Acked-by: Kai Makisara <kai.makisara@kolumbus.fi>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
---

Reading git-diff-tree failed