From: KAMBAROV, ZAUR Date: Wed, 29 Jun 2005 03:45:06 +0000 (-0700) Subject: [PATCH] coverity: i386: scsi_lib buffer overrun fix X-Git-Tag: firefly_0821_release~43179 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=a77e3362a224212d9d3b9e6fdec44df2eef6cf92;p=firefly-linux-kernel-4.4.55.git [PATCH] coverity: i386: scsi_lib buffer overrun fix The check in 627 BUG_ON(index > SG_MEMPOOL_NR); with SG_MEMPOOL_NR defined in 32 #define SG_MEMPOOL_NR (sizeof(scsi_sg_pools)/sizeof(struct scsi_host_sg_pool)) was not sufficient. sgp, set in 629 sgp = scsi_sg_pools + index; is dereferenced in 630 mempool_free(sgl, sgp->pool); Signed-off-by: Zaur Kambarov Cc: Cc: James Bottomley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 621dee8b8cb2..10506f9cd0c9 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -632,7 +632,7 @@ static void scsi_free_sgtable(struct scatterlist *sgl, int index) { struct scsi_host_sg_pool *sgp; - BUG_ON(index > SG_MEMPOOL_NR); + BUG_ON(index >= SG_MEMPOOL_NR); sgp = scsi_sg_pools + index; mempool_free(sgl, sgp->pool);