Message ID | 1451396276-2589-2-git-send-email-m@bjorling.me (mailing list archive) |
---|---|
State | Accepted, archived |
Delegated to: | Jens Axboe |
Headers | show |
On 12/29/2015 06:37 AM, Matias Bjørling wrote: > dev->nr_luns reports the total number of luns available in a device > while dev->luns_per_chnl is the number of luns per channel. > > When multiple channels are available, the offset is calculated from a > channel and lun id into a linear array. As it multiplies with > the total number of luns, we go out of bound when channel id > 0 and > causes the kernel to panic when we read a protected kernel memory area. Added for 4.4, thanks.
diff --git a/drivers/lightnvm/gennvm.c b/drivers/lightnvm/gennvm.c index 04aead4..12ddcaa 100644 --- a/drivers/lightnvm/gennvm.c +++ b/drivers/lightnvm/gennvm.c @@ -75,7 +75,7 @@ static int gennvm_block_bb(struct ppa_addr ppa, int nr_blocks, u8 *blks, struct nvm_block *blk; int i; - lun = &gn->luns[(dev->nr_luns * ppa.g.ch) + ppa.g.lun]; + lun = &gn->luns[(dev->luns_per_chnl * ppa.g.ch) + ppa.g.lun]; for (i = 0; i < nr_blocks; i++) { if (blks[i] == 0)
dev->nr_luns reports the total number of luns available in a device while dev->luns_per_chnl is the number of luns per channel. When multiple channels are available, the offset is calculated from a channel and lun id into a linear array. As it multiplies with the total number of luns, we go out of bound when channel id > 0 and causes the kernel to panic when we read a protected kernel memory area. Signed-off-by: Matias Bjørling <m@bjorling.me> --- drivers/lightnvm/gennvm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)