diff options
| -rw-r--r-- | drivers/scsi/storvsc_drv.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index 7b686268ad19..5c9f6b761fd6 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -1100,6 +1100,10 @@ static void storvsc_command_completion(struct storvsc_cmd_request *cmd_request, data_transfer_length = 0; } + /* Validate data_transfer_length (from Hyper-V) */ + if (data_transfer_length > cmd_request->payload->range.len) + data_transfer_length = cmd_request->payload->range.len; + scsi_set_resid(scmnd, cmd_request->payload->range.len - data_transfer_length); @@ -1140,6 +1144,11 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, /* Copy over the status...etc */ stor_pkt->vm_srb.scsi_status = vstor_packet->vm_srb.scsi_status; stor_pkt->vm_srb.srb_status = vstor_packet->vm_srb.srb_status; + + /* Validate sense_info_length (from Hyper-V) */ + if (vstor_packet->vm_srb.sense_info_length > sense_buffer_size) + vstor_packet->vm_srb.sense_info_length = sense_buffer_size; + stor_pkt->vm_srb.sense_info_length = vstor_packet->vm_srb.sense_info_length; @@ -1565,6 +1574,7 @@ static int storvsc_host_reset_handler(struct scsi_cmnd *scmnd) request = &stor_device->reset_request; vstor_packet = &request->vstor_packet; + memset(vstor_packet, 0, sizeof(struct vstor_packet)); init_completion(&request->wait_event); @@ -1668,6 +1678,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) /* Setup the cmd request */ cmd_request->cmd = scmnd; + memset(&cmd_request->vstor_packet, 0, sizeof(struct vstor_packet)); vm_srb = &cmd_request->vstor_packet.vm_srb; vm_srb->win8_extension.time_out_value = 60; |