diff options
author | FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> | 2010-06-28 01:04:45 +0900 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2010-07-27 12:03:55 -0500 |
commit | 9ab98f57b3e1d73cd0720d29c21b687ba609cde9 (patch) | |
tree | 1a6350e608c03b6335bcfc0249bb0b6589f3a06c /drivers/scsi/scsi_debug.c | |
parent | 4289a08680d646dcc18e291cb437a292738e504f (diff) | |
download | op-kernel-dev-9ab98f57b3e1d73cd0720d29c21b687ba609cde9.zip op-kernel-dev-9ab98f57b3e1d73cd0720d29c21b687ba609cde9.tar.gz |
[SCSI] scsi_debug: fix map_region and unmap_region oops
map_region and unmap_region could access to invalid memory area since
they don't check the size boundary.
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'drivers/scsi/scsi_debug.c')
-rw-r--r-- | drivers/scsi/scsi_debug.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 136329b..b02bdc6 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, unsigned int len) block = lba + alignment; rem = do_div(block, granularity); - set_bit(block, map_storep); + if (block < map_size) + set_bit(block, map_storep); lba += granularity - rem; } @@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, unsigned int len) block = lba + alignment; rem = do_div(block, granularity); - if (rem == 0 && lba + granularity <= end) + if (rem == 0 && lba + granularity <= end && + block < map_size) clear_bit(block, map_storep); lba += granularity - rem; |