From patchwork Fri May 6 18:03:10 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Matias_Bj=C3=B8rling?= X-Patchwork-Id: 9035401 Return-Path: X-Original-To: patchwork-linux-block@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 98944BF29F for ; Fri, 6 May 2016 18:08:49 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id BD1AE20274 for ; Fri, 6 May 2016 18:08:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DB16F20272 for ; Fri, 6 May 2016 18:08:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758486AbcEFSIr (ORCPT ); Fri, 6 May 2016 14:08:47 -0400 Received: from mail-wm0-f50.google.com ([74.125.82.50]:35317 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758763AbcEFSDu (ORCPT ); Fri, 6 May 2016 14:03:50 -0400 Received: by mail-wm0-f50.google.com with SMTP id e201so66840522wme.0 for ; Fri, 06 May 2016 11:03:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bjorling.me; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UiLXdSaRmtEzQnoJ4Cf6rXTjA5vI8DzVxi8UpAaFUs4=; b=ls6h4rtXrcBtewFuigH0dmF5dLM0EgxqJu7V/RWAY+TEzg5kEcib0eIxK7Tp/x+u9l 8XuwGTDMUFODV/M5/K8ve7FbCXtsHS62BII1wNJ9dKqWXpPt57wH9e1PEvCdBBRxI6N8 7E4zzZPYRTw7LItAnJ/pTdW/CRVDqeuLCodOU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UiLXdSaRmtEzQnoJ4Cf6rXTjA5vI8DzVxi8UpAaFUs4=; b=eb8KoC9+7IWS9tGAWKI3I8fuAj6jJIv3ozc3lEIBzJkYFSlyR2SU8BDBBz/49ii1FM r+UK7PmzcLjmmRgs6wBUaRUwluOMtmjm524aqmwcynURufyVPWGwJ5a6k6rd87c8VvbA W4D75RgnyBY7fIhY0s6ThYWG73zOeYIthuQWN7m5IzJ1UVYM3RVSmjwnscYuFRNunyxT kwfLnjVmf8oTpioudpeSr+yLeM6TjrfLE3gu+U+GDecNPaJLtQRtjfIkol5xU9wqNkjF dch1uHPJpiu1HACJznKbm5A0wJZOkWUH76dGQHwZZhjvGgoQoukpnI3bnD7PKIY0SJ/T UJLA== X-Gm-Message-State: AOPr4FWFtaANqszrhuKeRDJS04EA/1xfxyPl/SD6zjmOppUKKQ/6sSgMduL+7m+vxTVa1w== X-Received: by 10.194.220.230 with SMTP id pz6mr4722784wjc.93.1462557829632; Fri, 06 May 2016 11:03:49 -0700 (PDT) Received: from Macroninja.cnexlabs.com (6164211-cl69.boa.fiberby.dk. [193.106.164.211]) by smtp.gmail.com with ESMTPSA id kz1sm16076559wjc.46.2016.05.06.11.03.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 May 2016 11:03:49 -0700 (PDT) From: =?UTF-8?q?Matias=20Bj=C3=B8rling?= To: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, axboe@fb.com Cc: =?UTF-8?q?Matias=20Bj=C3=B8rling?= Subject: [PATCH 17/28] lightnvm: fix out of bound ppa lun id on bb tbl Date: Fri, 6 May 2016 20:03:10 +0200 Message-Id: <1462557801-24974-18-git-send-email-m@bjorling.me> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1462557801-24974-1-git-send-email-m@bjorling.me> References: <1462557801-24974-1-git-send-email-m@bjorling.me> MIME-Version: 1.0 Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org X-Spam-Status: No, score=-8.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The ppa configured for retrieving the bad block table uses the internal lun id to setup the get bad block ppa. This increases monotonically with the number luns available. When configuring a ppa, the channel and lun must be specified separately, leading to an out of bound memory access in gennvm_block_bb when lun id goes beyond the luns available within a channel. Additional, remove out of bound check in gennvm_block_bb(), as it was a buggy to begin with. Signed-off-by: Matias Bjørling --- drivers/lightnvm/gennvm.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/lightnvm/gennvm.c b/drivers/lightnvm/gennvm.c index 89b880a..61790ae 100644 --- a/drivers/lightnvm/gennvm.c +++ b/drivers/lightnvm/gennvm.c @@ -148,11 +148,6 @@ static int gennvm_block_bb(struct gen_nvm *gn, struct ppa_addr ppa, continue; blk = &lun->vlun.blocks[i]; - if (!blk) { - pr_err("gennvm: BB data is out of bounds.\n"); - return -EINVAL; - } - list_move_tail(&blk->list, &lun->bb_list); lun->vlun.nr_bad_blocks++; lun->vlun.nr_free_blocks--; @@ -257,7 +252,7 @@ static int gennvm_blocks_init(struct nvm_dev *dev, struct gen_nvm *gn) ppa.ppa = 0; ppa.g.ch = lun->vlun.chnl_id; - ppa.g.lun = lun->vlun.id; + ppa.g.lun = lun->vlun.lun_id; ret = nvm_get_bb_tbl(dev, ppa, blks); if (ret)