3.16.74-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Vasquez andrewv@marvell.com
commit 5cbdae10bf11f96e30b4d14de7b08c8b490e903c upstream.
Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code") incorrectly set 'optrom_region_size' to 'start+size', which can overflow option-rom boundaries when 'start' is non-zero. Continue setting optrom_region_size to the proper adjusted value of 'size'.
Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code") Signed-off-by: Andrew Vasquez andrewv@marvell.com Signed-off-by: Himanshu Madhani hmadhani@marvell.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/qla2xxx/qla_attr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_attr.c +++ b/drivers/scsi/qla2xxx/qla_attr.c @@ -423,7 +423,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi }
ha->optrom_region_start = start; - ha->optrom_region_size = start + size; + ha->optrom_region_size = size;
ha->optrom_state = QLA_SREADING; ha->optrom_buffer = vmalloc(ha->optrom_region_size); @@ -495,7 +495,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi }
ha->optrom_region_start = start; - ha->optrom_region_size = start + size; + ha->optrom_region_size = size;
ha->optrom_state = QLA_SWRITING; ha->optrom_buffer = vmalloc(ha->optrom_region_size);