aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBoaz Harrosh <bharrosh@panasas.com>2012-08-01 10:48:36 -0400
committerBoaz Harrosh <bharrosh@panasas.com>2012-08-02 09:41:56 -0400
commit9e62bb4458ad2cf28bd701aa5fab380b846db326 (patch)
tree951e8ec30887eba0506b0e673f4d26f9ad76591f
parentbe388f3d9af4155db0dc9e7e59dd49db90271c1c (diff)
ore: Fix out-of-bounds access in _ios_obj()
_ios_obj() is accessed by group_index not device_table index. The oc->comps array is only a group_full of devices at a time it is not like ore_comp_dev() which is indexed by a global device_table index. This did not BUG until now because exofs only uses a single COMP for all devices. But with other FSs like PanFS this is not true. This bug was only in the write_path, all other users were using it correctly [This is a bug since 3.2 Kernel] CC: Stable Tree <stable@kernel.org> Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
-rw-r--r--fs/exofs/ore.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/fs/exofs/ore.c b/fs/exofs/ore.c
index 24a49d47e935..1585db1aa365 100644
--- a/fs/exofs/ore.c
+++ b/fs/exofs/ore.c
@@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp)
837 bio->bi_rw |= REQ_WRITE; 837 bio->bi_rw |= REQ_WRITE;
838 } 838 }
839 839
840 osd_req_write(or, _ios_obj(ios, dev), per_dev->offset, 840 osd_req_write(or, _ios_obj(ios, cur_comp),
841 bio, per_dev->length); 841 per_dev->offset, bio, per_dev->length);
842 ORE_DBGMSG("write(0x%llx) offset=0x%llx " 842 ORE_DBGMSG("write(0x%llx) offset=0x%llx "
843 "length=0x%llx dev=%d\n", 843 "length=0x%llx dev=%d\n",
844 _LLU(_ios_obj(ios, dev)->id), 844 _LLU(_ios_obj(ios, cur_comp)->id),
845 _LLU(per_dev->offset), 845 _LLU(per_dev->offset),
846 _LLU(per_dev->length), dev); 846 _LLU(per_dev->length), dev);
847 } else if (ios->kern_buff) { 847 } else if (ios->kern_buff) {
@@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp)
853 (ios->si.unit_off + ios->length > 853 (ios->si.unit_off + ios->length >
854 ios->layout->stripe_unit)); 854 ios->layout->stripe_unit));
855 855
856 ret = osd_req_write_kern(or, _ios_obj(ios, per_dev->dev), 856 ret = osd_req_write_kern(or, _ios_obj(ios, cur_comp),
857 per_dev->offset, 857 per_dev->offset,
858 ios->kern_buff, ios->length); 858 ios->kern_buff, ios->length);
859 if (unlikely(ret)) 859 if (unlikely(ret))
860 goto out; 860 goto out;
861 ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx " 861 ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx "
862 "length=0x%llx dev=%d\n", 862 "length=0x%llx dev=%d\n",
863 _LLU(_ios_obj(ios, dev)->id), 863 _LLU(_ios_obj(ios, cur_comp)->id),
864 _LLU(per_dev->offset), 864 _LLU(per_dev->offset),
865 _LLU(ios->length), per_dev->dev); 865 _LLU(ios->length), per_dev->dev);
866 } else { 866 } else {
867 osd_req_set_attributes(or, _ios_obj(ios, dev)); 867 osd_req_set_attributes(or, _ios_obj(ios, cur_comp));
868 ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n", 868 ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n",
869 _LLU(_ios_obj(ios, dev)->id), 869 _LLU(_ios_obj(ios, cur_comp)->id),
870 ios->out_attr_len, dev); 870 ios->out_attr_len, dev);
871 } 871 }
872 872