ubd_kern.c:do_io() may access uninitialized memory and divide requests
into smaller chunks than necessary.  Found with Valgrind.

Signed-off-by: Steve VanDeBogart <vandebo-lkml@nerdbox.net>
---

Index: linux-2.6.27-rc5/arch/um/drivers/ubd_kern.c
===================================================================
--- linux-2.6.27-rc5.orig/arch/um/drivers/ubd_kern.c	2008-08-29 15:50:19.000000000 -0700
+++ linux-2.6.27-rc5/arch/um/drivers/ubd_kern.c	2008-08-29 15:51:48.000000000 -0700
@@ -1218,8 +1218,7 @@
  	struct ubd *ubd_dev = disk->private_data;

  	io_req->req = req;
-	io_req->fds[0] = (ubd_dev->cow.file != NULL) ? ubd_dev->cow.fd :
-		ubd_dev->fd;
+	io_req->fds[0] = (ubd_dev->cow.file == NULL) ? -1 : ubd_dev->cow.fd;
  	io_req->fds[1] = ubd_dev->fd;
  	io_req->cow_offset = -1;
  	io_req->offset = offset;
@@ -1374,12 +1373,18 @@
  	nsectors = req->length / req->sectorsize;
  	start = 0;
  	do {
-		bit = ubd_test_bit(start, (unsigned char *) &req->sector_mask);
-		end = start;
-		while((end < nsectors) &&
-		      (ubd_test_bit(end, (unsigned char *)
-				    &req->sector_mask) == bit))
-			end++;
+		if (req->fds[0] == -1) {
+			bit = 1;
+			end = nsectors;
+		} else {
+			bit = ubd_test_bit(start,
+					(unsigned char *) &req->sector_mask);
+			end = start;
+			while ((end < nsectors) &&
+					(ubd_test_bit(end, (unsigned char *)
+						  &req->sector_mask) == bit))
+				end++;
+		}

  		off = req->offset + req->offsets[bit] +
  			start * req->sectorsize;
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/