isci: fix smp response frame overrun
authorDan Williams <dan.j.williams@intel.com>
Fri, 17 Jun 2011 00:20:35 +0000 (17:20 -0700)
committerDan Williams <dan.j.williams@intel.com>
Sun, 3 Jul 2011 11:04:51 +0000 (04:04 -0700)
Due to a typo we currently copy way too much when copying over the
response data, but since a request is likely backed by a full page
allocation we don't corrupt live data.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
drivers/scsi/isci/request.c

index ebe160c83f91b44af9a5c10b793be2ed9a38cd0a..f4fbca7b1fa365ff64c04c571861c3065c5e9cad 100644 (file)
@@ -1694,7 +1694,7 @@ scic_sds_io_request_frame_handler(struct scic_sds_request *sci_req,
                                                                      frame_index,
                                                                      &smp_resp);
 
-                       word_cnt = (sizeof(struct smp_req) - SMP_RESP_HDR_SZ) /
+                       word_cnt = (sizeof(struct smp_resp) - SMP_RESP_HDR_SZ) /
                                sizeof(u32);
 
                        sci_swab32_cpy(((u8 *) rsp_hdr) + SMP_RESP_HDR_SZ,