Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 518d9df8 authored by Akinobu Mita's avatar Akinobu Mita Committed by James Bottomley
Browse files

[SCSI] scsi_debug: fix invalid address passed to kunmap_atomic() 



In the function prot_verify_write(), the kmap address 'daddr' is
incremented in the loop for each data page.  Finally 'daddr' reaches
the next page boundary in the end of the loop, and the invalid address
is passed to kunmap_atomic().

Fix the issue by not incrementing 'daddr' in the loop and offsetting it
by the loop counter on demand.

Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
Acked-by: default avatar"Martin K. Petersen" <martin.petersen@oracle.com>
Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
parent e9ce9c86

drivers/scsi/scsi_debug.c

+6 −7
Original line number Diff line number Diff line
@@ -1917,11 +1917,11 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, 


			switch (scsi_debug_guard) {

			case 1:

				csum = ip_compute_csum(daddr,

				csum = ip_compute_csum(daddr + j,

						       scsi_debug_sector_size);

				break;

			case 0:

				csum = cpu_to_be16(crc_t10dif(daddr,

				csum = cpu_to_be16(crc_t10dif(daddr + j,

						      scsi_debug_sector_size));

				break;

			default:
@@ -1938,7 +1938,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, 
				       be16_to_cpu(sdt->guard_tag),

				       be16_to_cpu(csum));

				ret = 0x01;

				dump_sector(daddr, scsi_debug_sector_size);

				dump_sector(daddr + j, scsi_debug_sector_size);

				goto out;

			}
@@ -1949,7 +1949,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, 
				       "%s: REF check failed on sector %lu\n",

				       __func__, (unsigned long)sector);

				ret = 0x03;

				dump_sector(daddr, scsi_debug_sector_size);

				dump_sector(daddr + j, scsi_debug_sector_size);

				goto out;

			}
@@ -1959,7 +1959,7 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, 
				       "%s: REF check failed on sector %lu\n",

				       __func__, (unsigned long)sector);

				ret = 0x03;

				dump_sector(daddr, scsi_debug_sector_size);

				dump_sector(daddr + j, scsi_debug_sector_size);

				goto out;

			}
@@ -1977,7 +1977,6 @@ static int prot_verify_write(struct scsi_cmnd *SCpnt, sector_t start_sec, 


			start_sec++;

			ei_lba++;

			daddr += scsi_debug_sector_size;

			ppage_offset += sizeof(struct sd_dif_tuple);

		}