Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / common / 9ab98f57b3e1d73cd0720d29c21b687ba609cde9^! / . / drivers / scsi / scsi_debug.c
commit9ab98f57b3e1d73cd0720d29c21b687ba609cde9[log] [tgz]
authorFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>Mon Jun 28 01:04:45 2010 +0900
committerJames Bottomley <James.Bottomley@suse.de>Tue Jul 27 12:03:55 2010 -0500
tree1a6350e608c03b6335bcfc0249bb0b6589f3a06c
parent4289a08680d646dcc18e291cb437a292738e504f [diff] [blame]
[SCSI] scsi_debug: fix map_region and unmap_region oops

map_region and unmap_region could access to invalid memory area since
they don't check the size boundary.

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 136329b..b02bdc6 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c

@@ -1991,7 +1991,8 @@
 		block = lba + alignment;
 		rem = do_div(block, granularity);
 
-		set_bit(block, map_storep);
+		if (block < map_size)
+			set_bit(block, map_storep);
 
 		lba += granularity - rem;
 	}
@@ -2011,7 +2012,8 @@
 		block = lba + alignment;
 		rem = do_div(block, granularity);
 
-		if (rem == 0 && lba + granularity <= end)
+		if (rem == 0 && lba + granularity <= end &&
+		    block < map_size)
 			clear_bit(block, map_storep);
 
 		lba += granularity - rem;