[SCSI] scsi_debug: fix map_region and unmap_region oops

map_region and unmap_region could access to invalid memory area since they don't check the size boundary. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
author: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> 2010-06-27 12:04:45 -0400
committer: James Bottomley <James.Bottomley@suse.de> 2010-07-27 13:03:55 -0400
commit: 9ab98f57b3e1d73cd0720d29c21b687ba609cde9 (patch)
tree: 1a6350e608c03b6335bcfc0249bb0b6589f3a06c
parent: 4289a08680d646dcc18e291cb437a292738e504f (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 136329b4027b..b02bdc6c2cd1 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1991,7 +1991,8 @@ static void map_region(sector_t lba, unsigned int len)
                block = lba + alignment;
                rem = do_div(block, granularity);
-                set_bit(block, map_storep);
+                if (block < map_size)
+                        set_bit(block, map_storep);
                lba += granularity - rem;
        }
@@ -2011,7 +2012,8 @@ static void unmap_region(sector_t lba, unsigned int len)
                block = lba + alignment;
                rem = do_div(block, granularity);
-                if (rem == 0 && lba + granularity <= end)
+                if (rem == 0 && lba + granularity <= end &&
+                    block < map_size)
                        clear_bit(block, map_storep);
                lba += granularity - rem;
author	FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>	2010-06-27 12:04:45 -0400
committer	James Bottomley <James.Bottomley@suse.de>	2010-07-27 13:03:55 -0400
commit	9ab98f57b3e1d73cd0720d29c21b687ba609cde9 (patch)
tree	1a6350e608c03b6335bcfc0249bb0b6589f3a06c
parent	4289a08680d646dcc18e291cb437a292738e504f (diff)