aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/scsi/scsi_debug.c
diff options
context:
space:
mode:
authorLukas Czerner <lczerner@redhat.com>2012-08-16 10:38:45 -0400
committerJames Bottomley <JBottomley@Parallels.com>2012-10-09 07:23:11 -0400
commitbc977749e967daa56de1922cf4cb38525631c51c (patch)
tree8a601ff599a503f68377b4ea77c49cad54ca24e3 /drivers/scsi/scsi_debug.c
parent329a402cb052b233bc92aa34c4caf2f7dfb2d76e (diff)
[SCSI] scsi_debug: Fix off-by-one bug when unmapping region
Currently it is possible to unmap one more block than user requested to due to the off-by-one error in unmap_region(). This is probably due to the fact that the end variable despite its name actually points to the last block to unmap + 1. However in the condition it is handled as the last block of the region to unmap. The bug was not previously spotted probably due to the fact that the region was not zeroed, which has changed with commit be1dd78de5686c062bb3103f9e86d444a10ed783. With that commit we were able to corrupt the ext4 file system on 256M scsi_debug device with LBPRZ enabled using fstrim. Since the 'end' semantic is the same in several functions there this commit just fixes the condition to use the 'end' variable correctly in that context. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Lukas Czerner <lczerner@redhat.com> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Cc: <stable@vger.kernel.org> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers/scsi/scsi_debug.c')
-rw-r--r--drivers/scsi/scsi_debug.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 57fbd5a3d4e2..5cda11c07c68 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -2055,7 +2055,7 @@ static void unmap_region(sector_t lba, unsigned int len)
2055 block = lba + alignment; 2055 block = lba + alignment;
2056 rem = do_div(block, granularity); 2056 rem = do_div(block, granularity);
2057 2057
2058 if (rem == 0 && lba + granularity <= end && block < map_size) { 2058 if (rem == 0 && lba + granularity < end && block < map_size) {
2059 clear_bit(block, map_storep); 2059 clear_bit(block, map_storep);
2060 if (scsi_debug_lbprz) 2060 if (scsi_debug_lbprz)
2061 memset(fake_storep + 2061 memset(fake_storep +