From: Darrick J. Wong Date: Tue, 1 Feb 2011 02:47:54 +0000 (-0800) Subject: [SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption X-Git-Tag: firefly_0821_release~7613^2~2424^2~12 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=a361cc0025614fdd07f5f69aeeaa8075530870bc;p=firefly-linux-kernel-4.4.55.git [SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption If I create a scsi_debug device that is larger than 4GB, the multiplication of (block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately, the compiler sees two 32-bit quantities and performs a 32-bit multiplication, thus truncating the bits above 2^32. This causes the wrong memory location to be read or written. Change block and rest to be unsigned long long. Signed-off-by: Darrick J. Wong Acked-by: Douglas Gilbert Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 7b310934efed..a6b2d72022fc 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -1671,7 +1671,7 @@ static int do_device_access(struct scsi_cmnd *scmd, unsigned long long lba, unsigned int num, int write) { int ret; - unsigned int block, rest = 0; + unsigned long long block, rest = 0; int (*func)(struct scsi_cmnd *, unsigned char *, int); func = write ? fetch_to_dev_buffer : fill_from_dev_buffer;