diff options
author | Darrick J. Wong <djwong@us.ibm.com> | 2011-01-31 21:47:54 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2011-02-12 12:21:56 -0500 |
commit | a361cc0025614fdd07f5f69aeeaa8075530870bc (patch) | |
tree | 419b9ae33664d20e6df60e78bf51f2d320548cf1 | |
parent | 044d78e1acb6614f5d79040e490f1fd9bfa45487 (diff) |
[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption
If I create a scsi_debug device that is larger than 4GB, the multiplication of
(block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately,
the compiler sees two 32-bit quantities and performs a 32-bit multiplication,
thus truncating the bits above 2^32. This causes the wrong memory location to
be read or written. Change block and rest to be unsigned long long.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-rw-r--r-- | drivers/scsi/scsi_debug.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 7b310934efed..a6b2d72022fc 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c | |||
@@ -1671,7 +1671,7 @@ static int do_device_access(struct scsi_cmnd *scmd, | |||
1671 | unsigned long long lba, unsigned int num, int write) | 1671 | unsigned long long lba, unsigned int num, int write) |
1672 | { | 1672 | { |
1673 | int ret; | 1673 | int ret; |
1674 | unsigned int block, rest = 0; | 1674 | unsigned long long block, rest = 0; |
1675 | int (*func)(struct scsi_cmnd *, unsigned char *, int); | 1675 | int (*func)(struct scsi_cmnd *, unsigned char *, int); |
1676 | 1676 | ||
1677 | func = write ? fetch_to_dev_buffer : fill_from_dev_buffer; | 1677 | func = write ? fetch_to_dev_buffer : fill_from_dev_buffer; |