lightnvm: wrong offset in bad blk lun calculation

dev->nr_luns reports the total number of luns available in a device while dev->luns_per_chnl is the number of luns per channel. When multiple channels are available, the offset is calculated from a channel and lun id into a linear array. As it multiplies with the total number of luns, we go out of bound when channel id > 0 and causes the kernel to panic when we read a protected kernel memory area. Signed-off-by: Matias Bjørling <m@bjorling.me> Signed-off-by: Jens Axboe <axboe@fb.com>
git-mirror · Dec 29, 2015 · c3293a9 · c3293a9
1 parent 48cc661
commit c3293a9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/lightnvm/gennvm.c b/drivers/lightnvm/gennvm.c
@@ -75,7 +75,7 @@ static int gennvm_block_bb(struct ppa_addr ppa, int nr_blocks, u8 *blks,
 	struct nvm_block *blk;
 	int i;
 
-	lun = &gn->luns[(dev->nr_luns * ppa.g.ch) + ppa.g.lun];
+	lun = &gn->luns[(dev->luns_per_chnl * ppa.g.ch) + ppa.g.lun];
 
 	for (i = 0; i < nr_blocks; i++) {
 		if (blks[i] == 0)