From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758887AbcEFSIs (ORCPT ); Fri, 6 May 2016 14:08:48 -0400 Received: from mail-wm0-f47.google.com ([74.125.82.47]:38384 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758692AbcEFSDu (ORCPT ); Fri, 6 May 2016 14:03:50 -0400 From: =?UTF-8?q?Matias=20Bj=C3=B8rling?= To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, axboe@fb.com Cc: =?UTF-8?q?Matias=20Bj=C3=B8rling?= Subject: [PATCH 17/28] lightnvm: fix out of bound ppa lun id on bb tbl Date: Fri, 6 May 2016 20:03:10 +0200 Message-Id: <1462557801-24974-18-git-send-email-m@bjorling.me> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1462557801-24974-1-git-send-email-m@bjorling.me> References: <1462557801-24974-1-git-send-email-m@bjorling.me> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The ppa configured for retrieving the bad block table uses the internal lun id to setup the get bad block ppa. This increases monotonically with the number luns available. When configuring a ppa, the channel and lun must be specified separately, leading to an out of bound memory access in gennvm_block_bb when lun id goes beyond the luns available within a channel. Additional, remove out of bound check in gennvm_block_bb(), as it was a buggy to begin with. Signed-off-by: Matias Bjørling --- drivers/lightnvm/gennvm.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/lightnvm/gennvm.c b/drivers/lightnvm/gennvm.c index 89b880a..61790ae 100644 --- a/drivers/lightnvm/gennvm.c +++ b/drivers/lightnvm/gennvm.c @@ -148,11 +148,6 @@ static int gennvm_block_bb(struct gen_nvm *gn, struct ppa_addr ppa, continue; blk = &lun->vlun.blocks[i]; - if (!blk) { - pr_err("gennvm: BB data is out of bounds.\n"); - return -EINVAL; - } - list_move_tail(&blk->list, &lun->bb_list); lun->vlun.nr_bad_blocks++; lun->vlun.nr_free_blocks--; @@ -257,7 +252,7 @@ static int gennvm_blocks_init(struct nvm_dev *dev, struct gen_nvm *gn) ppa.ppa = 0; ppa.g.ch = lun->vlun.chnl_id; - ppa.g.lun = lun->vlun.id; + ppa.g.lun = lun->vlun.lun_id; ret = nvm_get_bb_tbl(dev, ppa, blks); if (ret) -- 2.1.4