From 0cae766bdc191ebd2a7c48ee6668ed2ad28e0eb9 Mon Sep 17 00:00:00 2001
From: Gordon Tetlow <gordon@FreeBSD.org>
Date: Wed, 8 Jul 2020 19:58:00 +0000
Subject: [PATCH] Fix kernel panic in mps(4) driver.

Approved by:	so
Security:	FreeBSD-EN-20:15.mps
---
 sys/dev/mps/mps_user.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c
index 714236071b3..526bfd6c8ef 100644
--- a/sys/dev/mps/mps_user.c
+++ b/sys/dev/mps/mps_user.c
@@ -1045,10 +1045,12 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data)
 			if (((MPI2_SCSI_IO_REPLY *)rpl)->SCSIState &
 			    MPI2_SCSI_STATE_AUTOSENSE_VALID) {
 				sense_len =
-				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->SenseCount)),
-				    sizeof(struct scsi_sense_data));
+				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->
+				    SenseCount)), sizeof(struct
+				    scsi_sense_data));
 				mps_unlock(sc);
-				copyout(cm->cm_sense, cm->cm_req + 64, sense_len);
+				copyout(cm->cm_sense, (PTRIN(data->PtrReply +
+				    sizeof(MPI2_SCSI_IO_REPLY))), sense_len);
 				mps_lock(sc);
 			}
 		}
-- 
2.45.0