diff options
author | Boaz Harrosh <bharrosh@panasas.com> | 2012-08-01 10:48:36 -0400 |
---|---|---|
committer | Boaz Harrosh <bharrosh@panasas.com> | 2012-08-02 09:41:56 -0400 |
commit | 9e62bb4458ad2cf28bd701aa5fab380b846db326 (patch) | |
tree | 951e8ec30887eba0506b0e673f4d26f9ad76591f | |
parent | be388f3d9af4155db0dc9e7e59dd49db90271c1c (diff) |
ore: Fix out-of-bounds access in _ios_obj()
_ios_obj() is accessed by group_index not device_table index.
The oc->comps array is only a group_full of devices at a time
it is not like ore_comp_dev() which is indexed by a global
device_table index.
This did not BUG until now because exofs only uses a single
COMP for all devices. But with other FSs like PanFS this is
not true.
This bug was only in the write_path, all other users were
using it correctly
[This is a bug since 3.2 Kernel]
CC: Stable Tree <stable@kernel.org>
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
-rw-r--r-- | fs/exofs/ore.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/fs/exofs/ore.c b/fs/exofs/ore.c index 24a49d47e935..1585db1aa365 100644 --- a/fs/exofs/ore.c +++ b/fs/exofs/ore.c | |||
@@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp) | |||
837 | bio->bi_rw |= REQ_WRITE; | 837 | bio->bi_rw |= REQ_WRITE; |
838 | } | 838 | } |
839 | 839 | ||
840 | osd_req_write(or, _ios_obj(ios, dev), per_dev->offset, | 840 | osd_req_write(or, _ios_obj(ios, cur_comp), |
841 | bio, per_dev->length); | 841 | per_dev->offset, bio, per_dev->length); |
842 | ORE_DBGMSG("write(0x%llx) offset=0x%llx " | 842 | ORE_DBGMSG("write(0x%llx) offset=0x%llx " |
843 | "length=0x%llx dev=%d\n", | 843 | "length=0x%llx dev=%d\n", |
844 | _LLU(_ios_obj(ios, dev)->id), | 844 | _LLU(_ios_obj(ios, cur_comp)->id), |
845 | _LLU(per_dev->offset), | 845 | _LLU(per_dev->offset), |
846 | _LLU(per_dev->length), dev); | 846 | _LLU(per_dev->length), dev); |
847 | } else if (ios->kern_buff) { | 847 | } else if (ios->kern_buff) { |
@@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp) | |||
853 | (ios->si.unit_off + ios->length > | 853 | (ios->si.unit_off + ios->length > |
854 | ios->layout->stripe_unit)); | 854 | ios->layout->stripe_unit)); |
855 | 855 | ||
856 | ret = osd_req_write_kern(or, _ios_obj(ios, per_dev->dev), | 856 | ret = osd_req_write_kern(or, _ios_obj(ios, cur_comp), |
857 | per_dev->offset, | 857 | per_dev->offset, |
858 | ios->kern_buff, ios->length); | 858 | ios->kern_buff, ios->length); |
859 | if (unlikely(ret)) | 859 | if (unlikely(ret)) |
860 | goto out; | 860 | goto out; |
861 | ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx " | 861 | ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx " |
862 | "length=0x%llx dev=%d\n", | 862 | "length=0x%llx dev=%d\n", |
863 | _LLU(_ios_obj(ios, dev)->id), | 863 | _LLU(_ios_obj(ios, cur_comp)->id), |
864 | _LLU(per_dev->offset), | 864 | _LLU(per_dev->offset), |
865 | _LLU(ios->length), per_dev->dev); | 865 | _LLU(ios->length), per_dev->dev); |
866 | } else { | 866 | } else { |
867 | osd_req_set_attributes(or, _ios_obj(ios, dev)); | 867 | osd_req_set_attributes(or, _ios_obj(ios, cur_comp)); |
868 | ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n", | 868 | ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n", |
869 | _LLU(_ios_obj(ios, dev)->id), | 869 | _LLU(_ios_obj(ios, cur_comp)->id), |
870 | ios->out_attr_len, dev); | 870 | ios->out_attr_len, dev); |
871 | } | 871 | } |
872 | 872 | ||