ide-cd: fix oops when using growisofs

commit e8e7b9eb11c34ee18bde8b7011af41938d1ad667 upstream

cdrom_read_capacity() will blindly return the capacity from the device
without sanity-checking it.  This later causes code in fs/buffer.c to
oops.

Fix this by checking that the device is telling us sensible things.

From: Jens Axboe <jens.axboe@oracle.com>
Cc: Michael Buesch <mb@bu3sch.de>
Cc: Jan Kara <jack@suse.cz>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <petkovbb@googlemail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[bart: print device name instead of driver name]
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
[harvey: blocklen is a big-endian value]
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
index c8d0e8715997475abe51e683ee5b5aff2f44109c..e54da025a31c1ac43bbf02d2a32c594ad1f9d378 100644 (file)
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -1421,13 +1421,30 @@ static int cdrom_read_capacity(ide_drive_t *drive, unsigned long *capacity,
        req.cmd_flags |= REQ_QUIET;
 
        stat = ide_cd_queue_pc(drive, &req);
-       if (stat == 0) {
-               *capacity = 1 + be32_to_cpu(capbuf.lba);
-               *sectors_per_frame =
-                       be32_to_cpu(capbuf.blocklen) >> SECTOR_BITS;
+       if (stat)
+               return stat;
+
+       /*
+        * Sanity check the given block size
+        */
+       switch (capbuf.blocklen) {
+       case __constant_cpu_to_be32(512):
+       case __constant_cpu_to_be32(1024):
+       case __constant_cpu_to_be32(2048):
+       case __constant_cpu_to_be32(4096):
+               break;
+       default:
+               printk(KERN_ERR "%s: weird block size %u\n",
+                       drive->name, capbuf.blocklen);
+               printk(KERN_ERR "%s: default to 2kb block size\n",
+                       drive->name);
+               capbuf.blocklen = __constant_cpu_to_be32(2048);
+               break;
        }
 
-       return stat;
+       *capacity = 1 + be32_to_cpu(capbuf.lba);
+       *sectors_per_frame = be32_to_cpu(capbuf.blocklen) >> SECTOR_BITS;
+       return 0;
 }
 
 static int cdrom_read_tocentry(ide_drive_t *drive, int trackno, int msf_flag,