Hi Dan, Did you diff this one backwards ? On Tue, Jun 1, 2010 at 5:05 PM, Dan Carpenter <error27@xxxxxxxxx> wrote: > I moved the range check after the increment. The current code would > write past the end of the array once before calling BUG(). > > Signed-off-by: Dan Carpenter <error27@xxxxxxxxx> > > diff --git a/drivers/block/cciss_scsi.c b/drivers/block/cciss_scsi.c > index e1d0e2c..3381505 100644 > --- a/drivers/block/cciss_scsi.c > +++ b/drivers/block/cciss_scsi.c > @@ -188,11 +188,11 @@ scsi_cmd_free(ctlr_info_t *h, CommandList_struct *cmd) > > sa = h->scsi_ctlr; > stk = &sa->cmd_stack; > + stk->top++; > if (stk->top >= CMD_STACK_SIZE) { > printk("cciss: scsi_cmd_free called too many times.\n"); > BUG(); > } > - stk->top++; > stk->elem[stk->top] = (struct cciss_scsi_cmd_stack_elem_t *) cmd; > } > > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html