[SCSI] scsi_debug: fix map_region and unmap_region oops

map_region and unmap_region could access to invalid memory area since they don't check the size boundary. Signed-off-by: N FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: N Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: N James Bottomley <James.Bottomley@suse.de>

[SCSI] scsi_debug: fix map_region and unmap_region oops
map_region and unmap_region could access to invalid memory area since they don't check the size boundary. Signed-off-by: N FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: N Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: N James Bottomley <James.Bottomley@suse.de>
9ab98f57 · FUJITA Tomonori · James Bottomley · 4289a086 · 9ab98f57
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

drivers/scsi/scsi_debug.c drivers/scsi/scsi_debug.c +4 -2

未找到文件。
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, unsigned int len)
 		block = lba + alignment;
 		rem = do_div(block, granularity);

-		set_bit(block, map_storep);
+		if (block < map_size)
+			set_bit(block, map_storep);

 		lba += granularity - rem;
 	}
@@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, unsigned int len)
 		block = lba + alignment;
 		rem = do_div(block, granularity);

-		if (rem == 0 && lba + granularity <= end)
+		if (rem == 0 && lba + granularity <= end &&
+		    block < map_size)
 			clear_bit(block, map_storep);

 		lba += granularity - rem;