On Tue, Jun 01 2010, Darren Jenkins wrote:
> Hi Dan,
>
> On Tue, Jun 1, 2010 at 5:05 PM, Dan Carpenter <error27@xxxxxxxxx> wrote:
> > I moved the range check after the increment. The current code would
> > write past the end of the array once before calling BUG().
> >
> > Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> >
> > diff --git a/drivers/block/cciss_scsi.c b/drivers/block/cciss_scsi.c
> > index e1d0e2c..3381505 100644
> > --- a/drivers/block/cciss_scsi.c
> > +++ b/drivers/block/cciss_scsi.c
> > @@ -188,11 +188,11 @@ scsi_cmd_free(ctlr_info_t *h, CommandList_struct *cmd)
> >
> > sa = h->scsi_ctlr;
> > stk = &sa->cmd_stack;
> > + stk->top++;
> > if (stk->top >= CMD_STACK_SIZE) {
> > printk("cciss: scsi_cmd_free called too many times.\n");
> > BUG();
> > }
> > - stk->top++;
> > stk->elem[stk->top] = (struct cciss_scsi_cmd_stack_elem_t *) cmd;
> > }
>
> Did you diff this one backwards ?
>
How so? if stk->top == CMD_STACK_SIZE - 1 the current code will not
trigger the BUG, but it will index beyond the size of ->elem. So the
patch looks correct to me.
Dan, I'll apply it, thanks.
--
Jens Axboe
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
