>>>>> "Tomo" == FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> writes: Tomo> = From: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> Subject: Tomo> [PATCH] scsi_debug: fix map_region and unmap_region oops Tomo> map_region and unmap_region could access to invalid memory area Tomo> since they don't check the size boundary. Tomo> Signed-off-by: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> --- Tomo> drivers/scsi/scsi_debug.c | 6 ++++-- 1 files changed, 4 Tomo> insertions(+), 2 deletions(-) Tomo> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c Tomo> index 136329b..b02bdc6 100644 Tomo> --- a/drivers/scsi/scsi_debug.c Tomo> +++ b/drivers/scsi/scsi_debug.c Tomo> @@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, Tomo> unsigned int len) Tomo> block = lba + alignment; rem = do_div(block, Tomo> granularity); Tomo> - set_bit(block, map_storep); Tomo> + if (block < map_size) Tomo> + set_bit(block, map_storep); Tomo> lba += granularity - rem; Tomo> } Tomo> @@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, Tomo> unsigned int len) Tomo> block = lba + alignment; rem = do_div(block, Tomo> granularity); Tomo> - if (rem == 0 && lba + granularity <= end) Tomo> + if (rem == 0 && lba + granularity <= end && Tomo> + block < map_size) Tomo> clear_bit(block, map_storep); Tomo> lba += granularity - rem; I'm ok with the patch but I'm interested in what you were doing causing it to access out of bounds? -- Martin K. Petersen Oracle Linux Engineering -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
