From: Akinobu Mita <akinobu.mita@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: Akinobu Mita <akinobu.mita@gmail.com>,
"James E.J. Bottomley" <JBottomley@parallels.com>,
Douglas Gilbert <dgilbert@interlog.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH v3 1/6] scsi_debug: fix invalid address passed to kunmap_atomic()
Date: Sun, 26 May 2013 17:01:17 +0900 [thread overview]
Message-ID: <1369555282-17864-2-git-send-email-akinobu.mita@gmail.com> (raw)
In-Reply-To: <1369555282-17864-1-git-send-email-akinobu.mita@gmail.com>
In the function prot_verify_write(), the kmap address 'daddr' is
incremented in the loop for each data page. Finally 'daddr' reaches
the next page boundary in the end of the loop, and the invalid address
is passed to kunmap_atomic().
Fix the issue by not incrementing 'daddr' in the loop and offsetting it
by the loop counter on demand.
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org
---
* Change from v2
- It was not very clear that incrementing 'daddr' in the loop and restoring
the original value by subtracting the sum of increments. Instead of
doing that, fix the issue by not incrementing 'daddr' in the loop and
offsetting it by the loop counter on demand.
drivers/scsi/scsi_debug.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 0a537a0..d51bddd 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1899,7 +1899,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec,
daddr = kmap_atomic(sg_page(dsgl)) + dsgl->offset;
/* For each sector-sized chunk in data page */
- for (j = 0 ; j < dsgl->length ; j += scsi_debug_sector_size) {
+ for (j = 0; j < dsgl->length; j += scsi_debug_sector_size) {
/* If we're at the end of the current
* protection page advance to the next one
@@ -1917,11 +1917,11 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec,
switch (scsi_debug_guard) {
case 1:
- csum = ip_compute_csum(daddr,
+ csum = ip_compute_csum(daddr + j,
scsi_debug_sector_size);
break;
case 0:
- csum = cpu_to_be16(crc_t10dif(daddr,
+ csum = cpu_to_be16(crc_t10dif(daddr + j,
scsi_debug_sector_size));
break;
default:
@@ -1938,7 +1938,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec,
be16_to_cpu(sdt->guard_tag),
be16_to_cpu(csum));
ret = 0x01;
- dump_sector(daddr, scsi_debug_sector_size);
+ dump_sector(daddr + j, scsi_debug_sector_size);
goto out;
}
@@ -1949,7 +1949,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec,
"%s: REF check failed on sector %lu\n",
__func__, (unsigned long)sector);
ret = 0x03;
- dump_sector(daddr, scsi_debug_sector_size);
+ dump_sector(daddr + j, scsi_debug_sector_size);
goto out;
}
@@ -1959,7 +1959,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec,
"%s: REF check failed on sector %lu\n",
__func__, (unsigned long)sector);
ret = 0x03;
- dump_sector(daddr, scsi_debug_sector_size);
+ dump_sector(daddr + j, scsi_debug_sector_size);
goto out;
}
@@ -1977,7 +1977,6 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec,
start_sec++;
ei_lba++;
- daddr += scsi_debug_sector_size;
ppage_offset += sizeof(struct sd_dif_tuple);
}
--
1.8.1.4
next prev parent reply other threads:[~2013-05-26 8:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-26 8:01 [PATCH v3 0/6] scsi_debug: bug fixes and cleanups for data integrity support Akinobu Mita
2013-05-26 8:01 ` Akinobu Mita [this message]
2013-05-26 8:01 ` [PATCH v3 2/6] scsi_debug: fix incorrectly nested kmap_atomic() Akinobu Mita
2013-05-26 8:01 ` [PATCH v3 3/6] scsi_debug: fix NULL pointer dereference with parameters dif=0 dix=1 Akinobu Mita
2013-05-26 8:01 ` [PATCH v3 4/6] scsi_debug: invalidate protection info for unmapped region Akinobu Mita
2013-05-26 8:01 ` [PATCH v3 5/6] scsi_debug: simplify offset calculation for dif_storep Akinobu Mita
2013-05-26 8:01 ` [PATCH v3 6/6] scsi_debug: reduce duplication between prot_verify_read and prot_verify_write Akinobu Mita
2013-05-28 19:29 ` [PATCH v3 0/6] scsi_debug: bug fixes and cleanups for data integrity support Douglas Gilbert
2013-05-28 19:40 ` Martin K. Petersen
2013-06-02 2:51 ` Akinobu Mita
2013-06-02 17:01 ` Douglas Gilbert
2013-06-07 2:35 ` Martin K. Petersen
2013-06-08 14:53 ` Akinobu Mita
2013-06-02 16:16 ` Douglas Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1369555282-17864-2-git-send-email-akinobu.mita@gmail.com \
--to=akinobu.mita@gmail.com \
--cc=JBottomley@parallels.com \
--cc=dgilbert@interlog.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).