diff options
author | Darrick J. Wong <djwong@us.ibm.com> | 2011-01-31 18:47:54 -0800 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2011-02-12 11:21:56 -0600 |
commit | a361cc0025614fdd07f5f69aeeaa8075530870bc (patch) | |
tree | 419b9ae33664d20e6df60e78bf51f2d320548cf1 /drivers/scsi/scsi_debug.c | |
parent | 044d78e1acb6614f5d79040e490f1fd9bfa45487 (diff) | |
download | op-kernel-dev-a361cc0025614fdd07f5f69aeeaa8075530870bc.zip op-kernel-dev-a361cc0025614fdd07f5f69aeeaa8075530870bc.tar.gz |
[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption
If I create a scsi_debug device that is larger than 4GB, the multiplication of
(block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately,
the compiler sees two 32-bit quantities and performs a 32-bit multiplication,
thus truncating the bits above 2^32. This causes the wrong memory location to
be read or written. Change block and rest to be unsigned long long.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'drivers/scsi/scsi_debug.c')
-rw-r--r-- | drivers/scsi/scsi_debug.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 7b31093..a6b2d72 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -1671,7 +1671,7 @@ static int do_device_access(struct scsi_cmnd *scmd, unsigned long long lba, unsigned int num, int write) { int ret; - unsigned int block, rest = 0; + unsigned long long block, rest = 0; int (*func)(struct scsi_cmnd *, unsigned char *, int); func = write ? fetch_to_dev_buffer : fill_from_dev_buffer; |