From patchwork Thu Nov 15 05:49:30 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [3.5.yuz, extended, stable] Patch "scsi_debug: Fix off-by-one bug when unmapping region" has been added to staging queue From: Herton Ronaldo Krzesinski X-Patchwork-Id: 199171 Message-Id: <1352958570-16834-1-git-send-email-herton.krzesinski@canonical.com> To: Lukas Czerner Cc: "Martin K. Petersen" , James Bottomley , kernel-team@lists.ubuntu.com, Douglas Gilbert , Paolo Bonzini Date: Thu, 15 Nov 2012 03:49:30 -0200 This is a note to let you know that I have just added a patch titled scsi_debug: Fix off-by-one bug when unmapping region to the linux-3.5.y-queue branch of the 3.5.yuz extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.yuz tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Herton ------ >From 5ed204a8dd29d2b87e809467adb37f213bcd8582 Mon Sep 17 00:00:00 2001 From: Lukas Czerner Date: Thu, 16 Aug 2012 16:38:45 +0200 Subject: [PATCH] scsi_debug: Fix off-by-one bug when unmapping region commit bc977749e967daa56de1922cf4cb38525631c51c upstream. Currently it is possible to unmap one more block than user requested to due to the off-by-one error in unmap_region(). This is probably due to the fact that the end variable despite its name actually points to the last block to unmap + 1. However in the condition it is handled as the last block of the region to unmap. The bug was not previously spotted probably due to the fact that the region was not zeroed, which has changed with commit be1dd78de5686c062bb3103f9e86d444a10ed783. With that commit we were able to corrupt the ext4 file system on 256M scsi_debug device with LBPRZ enabled using fstrim. Since the 'end' semantic is the same in several functions there this commit just fixes the condition to use the 'end' variable correctly in that context. Reported-by: Paolo Bonzini Signed-off-by: Lukas Czerner Reviewed-by: Martin K. Petersen Acked-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Herton Ronaldo Krzesinski --- drivers/scsi/scsi_debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.7.9.5 diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 182d5a5..f4cc413 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -2054,7 +2054,7 @@ static void unmap_region(sector_t lba, unsigned int len) block = lba + alignment; rem = do_div(block, granularity); - if (rem == 0 && lba + granularity <= end && block < map_size) { + if (rem == 0 && lba + granularity < end && block < map_size) { clear_bit(block, map_storep); if (scsi_debug_lbprz) memset(fake_storep +