lightnvm: fix out of bound ppa lun id on bb tbl

The ppa configured for retrieving the bad block table uses the internal
lun id to setup the get bad block ppa. This increases monotonically
with the number luns available. When configuring a ppa, the channel and
lun must be specified separately, leading to an out of bound memory
access in gennvm_block_bb when lun id goes beyond the luns available
within a channel.

Additional, remove out of bound check in gennvm_block_bb(), as it was a
buggy to begin with.

Signed-off-by: Matias Bjørling <m@bjorling.me>
Signed-off-by: Jens Axboe <axboe@fb.com>

1 files changed, 1 insertions, 6 deletions

diff --git a/drivers/lightnvm/gennvm.c b/drivers/lightnvm/gennvm.c
index 89b880a25cc6..61790aebb8da 100644
--- a/drivers/lightnvm/gennvm.c
+++ b/drivers/lightnvm/gennvm.c
@@ -148,11 +148,6 @@ static int gennvm_block_bb(struct gen_nvm *gn, struct ppa_addr ppa,
                         continue;
 
                 blk = &lun->vlun.blocks[i];
-                if (!blk) {
-                        pr_err("gennvm: BB data is out of bounds.\n");
-                        return -EINVAL;
-                }
-
                 list_move_tail(&blk->list, &lun->bb_list);
                 lun->vlun.nr_bad_blocks++;
                 lun->vlun.nr_free_blocks--;
@@ -257,7 +252,7 @@ static int gennvm_blocks_init(struct nvm_dev *dev, struct gen_nvm *gn)
 
                         ppa.ppa = 0;
                         ppa.g.ch = lun->vlun.chnl_id;
-                        ppa.g.lun = lun->vlun.id;
+                        ppa.g.lun = lun->vlun.lun_id;
 
                         ret = nvm_get_bb_tbl(dev, ppa, blks);
                         if (ret)