summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>2010-06-27 18:04:45 +0200
committerJames Bottomley <James.Bottomley@suse.de>2010-07-27 19:03:55 +0200
commit9ab98f57b3e1d73cd0720d29c21b687ba609cde9 (patch)
tree1a6350e608c03b6335bcfc0249bb0b6589f3a06c
parent[SCSI] ipr: change endian swap key to match hardware spec change (diff)
downloadlinux-9ab98f57b3e1d73cd0720d29c21b687ba609cde9.tar.xz
linux-9ab98f57b3e1d73cd0720d29c21b687ba609cde9.zip
[SCSI] scsi_debug: fix map_region and unmap_region oops
map_region and unmap_region could access to invalid memory area since they don't check the size boundary. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-rw-r--r--drivers/scsi/scsi_debug.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 136329b4027b..b02bdc6c2cd1 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, unsigned int len)
block = lba + alignment;
rem = do_div(block, granularity);
- set_bit(block, map_storep);
+ if (block < map_size)
+ set_bit(block, map_storep);
lba += granularity - rem;
}
@@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, unsigned int len)
block = lba + alignment;
rem = do_div(block, granularity);
- if (rem == 0 && lba + granularity <= end)
+ if (rem == 0 && lba + granularity <= end &&
+ block < map_size)
clear_bit(block, map_storep);
lba += granularity - rem;