diff options
| author | Akinobu Mita <akinobu.mita@gmail.com> | 2013-06-29 04:59:14 -0400 |
|---|---|---|
| committer | James Bottomley <JBottomley@Parallels.com> | 2013-07-09 04:17:50 -0400 |
| commit | 518d9df87105a078984c90c75cf6e7f67e3c928c (patch) | |
| tree | 1563e4e42d9c51e6b33e0c4bf5d171dc35e061ad /drivers/scsi | |
| parent | e9ce9c86c28c5d44dc408ffe5069597cbbe4663a (diff) | |
[SCSI] scsi_debug: fix invalid address passed to kunmap_atomic()
In the function prot_verify_write(), the kmap address 'daddr' is
incremented in the loop for each data page. Finally 'daddr' reaches
the next page boundary in the end of the loop, and the invalid address
is passed to kunmap_atomic().
Fix the issue by not incrementing 'daddr' in the loop and offsetting it
by the loop counter on demand.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Acked-by: "Martin K. Petersen" <martin.petersen@oracle.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers/scsi')
| -rw-r--r-- | drivers/scsi/scsi_debug.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 0a537a0515ca..d51bddde5b1f 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c | |||
| @@ -1899,7 +1899,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, | |||
| 1899 | daddr = kmap_atomic(sg_page(dsgl)) + dsgl->offset; | 1899 | daddr = kmap_atomic(sg_page(dsgl)) + dsgl->offset; |
| 1900 | 1900 | ||
| 1901 | /* For each sector-sized chunk in data page */ | 1901 | /* For each sector-sized chunk in data page */ |
| 1902 | for (j = 0 ; j < dsgl->length ; j += scsi_debug_sector_size) { | 1902 | for (j = 0; j < dsgl->length; j += scsi_debug_sector_size) { |
| 1903 | 1903 | ||
| 1904 | /* If we're at the end of the current | 1904 | /* If we're at the end of the current |
| 1905 | * protection page advance to the next one | 1905 | * protection page advance to the next one |
| @@ -1917,11 +1917,11 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, | |||
| 1917 | 1917 | ||
| 1918 | switch (scsi_debug_guard) { | 1918 | switch (scsi_debug_guard) { |
| 1919 | case 1: | 1919 | case 1: |
| 1920 | csum = ip_compute_csum(daddr, | 1920 | csum = ip_compute_csum(daddr + j, |
| 1921 | scsi_debug_sector_size); | 1921 | scsi_debug_sector_size); |
| 1922 | break; | 1922 | break; |
| 1923 | case 0: | 1923 | case 0: |
| 1924 | csum = cpu_to_be16(crc_t10dif(daddr, | 1924 | csum = cpu_to_be16(crc_t10dif(daddr + j, |
| 1925 | scsi_debug_sector_size)); | 1925 | scsi_debug_sector_size)); |
| 1926 | break; | 1926 | break; |
| 1927 | default: | 1927 | default: |
| @@ -1938,7 +1938,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, | |||
| 1938 | be16_to_cpu(sdt->guard_tag), | 1938 | be16_to_cpu(sdt->guard_tag), |
| 1939 | be16_to_cpu(csum)); | 1939 | be16_to_cpu(csum)); |
| 1940 | ret = 0x01; | 1940 | ret = 0x01; |
| 1941 | dump_sector(daddr, scsi_debug_sector_size); | 1941 | dump_sector(daddr + j, scsi_debug_sector_size); |
| 1942 | goto out; | 1942 | goto out; |
| 1943 | } | 1943 | } |
| 1944 | 1944 | ||
| @@ -1949,7 +1949,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, | |||
| 1949 | "%s: REF check failed on sector %lu\n", | 1949 | "%s: REF check failed on sector %lu\n", |
| 1950 | __func__, (unsigned long)sector); | 1950 | __func__, (unsigned long)sector); |
| 1951 | ret = 0x03; | 1951 | ret = 0x03; |
| 1952 | dump_sector(daddr, scsi_debug_sector_size); | 1952 | dump_sector(daddr + j, scsi_debug_sector_size); |
| 1953 | goto out; | 1953 | goto out; |
| 1954 | } | 1954 | } |
| 1955 | 1955 | ||
| @@ -1959,7 +1959,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, | |||
| 1959 | "%s: REF check failed on sector %lu\n", | 1959 | "%s: REF check failed on sector %lu\n", |
| 1960 | __func__, (unsigned long)sector); | 1960 | __func__, (unsigned long)sector); |
| 1961 | ret = 0x03; | 1961 | ret = 0x03; |
| 1962 | dump_sector(daddr, scsi_debug_sector_size); | 1962 | dump_sector(daddr + j, scsi_debug_sector_size); |
| 1963 | goto out; | 1963 | goto out; |
| 1964 | } | 1964 | } |
| 1965 | 1965 | ||
| @@ -1977,7 +1977,6 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, | |||
| 1977 | 1977 | ||
| 1978 | start_sec++; | 1978 | start_sec++; |
| 1979 | ei_lba++; | 1979 | ei_lba++; |
| 1980 | daddr += scsi_debug_sector_size; | ||
| 1981 | ppage_offset += sizeof(struct sd_dif_tuple); | 1980 | ppage_offset += sizeof(struct sd_dif_tuple); |
| 1982 | } | 1981 | } |
| 1983 | 1982 | ||