On Mon, 2011-06-13 at 23:12 +0300, Dan Carpenter wrote:
> There are TL_TPGS_PER_HBA elements in the ->tl_hba_tpgs[] array so
> this test is off by one. Later when we take the pointer, it would
> be one past the end and we'd crash:
>
> tl_tpg = &tl_hba->tl_hba_tpgs[tpgt];
> tl_tpg->tl_hba = tl_hba;
>
> I think this can only be triggered by root.
>
> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
>
Ok, so I had merged this patch some time ago into lio-core-2.6.git, but
did not make it to mainline.
I will include this patch along with your other bugfixes in a pull to
Linus for v3.0-rc4 soon.
Thanks Dan!
--nab
> diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
> index 7329d0e..4fedb58 100644
> --- a/drivers/target/loopback/tcm_loop.c
> +++ b/drivers/target/loopback/tcm_loop.c
> @@ -1227,7 +1227,7 @@ struct se_portal_group *tcm_loop_make_naa_tpg(
> tpgt_str += 5; /* Skip ahead of "tpgt_" */
> tpgt = (unsigned short int) simple_strtoul(tpgt_str, &end_ptr, 0);
>
> - if (tpgt > TL_TPGS_PER_HBA) {
> + if (tpgt >= TL_TPGS_PER_HBA) {
> printk(KERN_ERR "Passed tpgt: %hu exceeds TL_TPGS_PER_HBA:"
> " %u\n", tpgt, TL_TPGS_PER_HBA);
> return ERR_PTR(-EINVAL);
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
