On Mon, 28 Jun 2010 13:18:20 -0400 "Martin K. Petersen" <martin.petersen@xxxxxxxxxx> wrote: > >>>>> "Tomo" == FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> writes: > > Tomo> = From: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> Subject: > Tomo> [PATCH] scsi_debug: fix map_region and unmap_region oops > > Tomo> map_region and unmap_region could access to invalid memory area > Tomo> since they don't check the size boundary. > > Tomo> Signed-off-by: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> --- > Tomo> drivers/scsi/scsi_debug.c | 6 ++++-- 1 files changed, 4 > Tomo> insertions(+), 2 deletions(-) > > Tomo> diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c > Tomo> index 136329b..b02bdc6 100644 > Tomo> --- a/drivers/scsi/scsi_debug.c > Tomo> +++ b/drivers/scsi/scsi_debug.c > Tomo> @@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, > Tomo> unsigned int len) > Tomo> block = lba + alignment; rem = do_div(block, > Tomo> granularity); > > Tomo> - set_bit(block, map_storep); > Tomo> + if (block < map_size) > Tomo> + set_bit(block, map_storep); > > Tomo> lba += granularity - rem; > Tomo> } > Tomo> @@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, > Tomo> unsigned int len) > Tomo> block = lba + alignment; rem = do_div(block, > Tomo> granularity); > > Tomo> - if (rem == 0 && lba + granularity <= end) > Tomo> + if (rem == 0 && lba + granularity <= end && > Tomo> + block < map_size) > Tomo> clear_bit(block, map_storep); > > Tomo> lba += granularity - rem; > > I'm ok with the patch but I'm interested in what you were doing causing > it to access out of bounds? I set unmap_granularity to 1 and then run mkfs.xfs. -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
