Hello! We're seeing a null pointer dereference with certain IDE tape drives on 2.6.11 when we use it with ide-scsi (i686 architecture). The problem is that the scatter-gather pages aren't mapped to kernel virtual address space in idescsi_output_buffers()/idescsi_input_buffers(), so, if these pages are in high memory, page_address() returns a null pointer.
This patch fixes the problem. I'll attach it as a file, too, just in
case it gets mangled. Please let me know if there are any problems with
or questions regarding this patch.
Again, this patch is against 2.6.11.
Thanks!
Stuart Hayes
[EMAIL PROTECTED]
--- ide-scsi.c.orig 2005-03-08 13:44:38.000000000 -0500
+++ ide-scsi.c 2005-03-08 14:02:43.000000000 -0500
@@ -151,8 +151,9 @@ static void idescsi_input_buffers (ide_d
return;
}
count = min(pc->sg->length - pc->b_count, bcount);
- buf = page_address(pc->sg->page) + pc->sg->offset;
+ buf = kmap_atomic(pc->sg->page, KM_USER0) +
pc->sg->offset;
drive->hwif->atapi_input_bytes(drive, buf + pc->b_count,
count);
+ kunmap_atomic(buf - pc->sg->offset, KM_USER0);
bcount -= count; pc->b_count += count;
if (pc->b_count == pc->sg->length) {
pc->sg++;
@@ -173,8 +174,9 @@ static void idescsi_output_buffers (ide_
return;
}
count = min(pc->sg->length - pc->b_count, bcount);
- buf = page_address(pc->sg->page) + pc->sg->offset;
+ buf = kmap_atomic(pc->sg->page, KM_USER0) +
pc->sg->offset;
drive->hwif->atapi_output_bytes(drive, buf +
pc->b_count, count);
+ kunmap_atomic(buf - pc->sg->offset, KM_USER0);
bcount -= count; pc->b_count += count;
if (pc->b_count == pc->sg->length) {
pc->sg++;
ide-scsi.2.6.11.patch
Description: ide-scsi.2.6.11.patch
