md: Avoid write invalid address if read_seqretry returned true.

If read_seqretry returned true and bbp was changed, it will write invalid address which can cause some serious problem. This bug was introduced by commit v3.0-rc7-130-g2699b67. So fix is suitable for 3.0.y thru 3.6.y. Reported-by: zhuwenfeng@kedacom.com Tested-by: zhuwenfeng@kedacom.com Cc: stable@vger.kernel.org Signed-off-by: Jianpeng Ma <majianpeng@gmail.com> Signed-off-by: NeilBrown <neilb@suse.de>
author: majianpeng <majianpeng@gmail.com> 2012-11-07 19:56:27 -0500
committer: NeilBrown <neilb@suse.de> 2012-11-19 18:27:17 -0500
commit: 35f9ac2dcec8f79d7059ce174fd7b7ee3290d620 (patch)
tree: 0192c0d2874221bf8672e278c86fd0239cb32b08 /drivers/md/md.c
parent: ab05613a0646dcc11049692d54bae76ca9ffa910 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 14db6abb2c42..4c7d880a60a4 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1817,10 +1817,10 @@ retry:
                        memset(bbp, 0xff, PAGE_SIZE);
                        for (i = 0 ; i < bb->count ; i++) {
-                                u64 internal_bb = *p++;
+                                u64 internal_bb = p[i];
                                u64 store_bb = ((BB_OFFSET(internal_bb) << 10)
                                                | BB_LEN(internal_bb));
-                                *bbp++ = cpu_to_le64(store_bb);
+                                bbp[i] = cpu_to_le64(store_bb);
                        }
                        bb->changed = 0;
                        if (read_seqretry(&bb->lock, seq))
author	majianpeng <majianpeng@gmail.com>	2012-11-07 19:56:27 -0500
committer	NeilBrown <neilb@suse.de>	2012-11-19 18:27:17 -0500
commit	35f9ac2dcec8f79d7059ce174fd7b7ee3290d620 (patch)
tree	0192c0d2874221bf8672e278c86fd0239cb32b08 /drivers/md/md.c
parent	ab05613a0646dcc11049692d54bae76ca9ffa910 (diff)

diff --git a/drivers/md/md.c b/drivers/md/md.c index 14db6abb2c42..4c7d880a60a4 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c
@@ -1817,10 +1817,10 @@ retry:
1817	memset(bbp, 0xff, PAGE_SIZE);	1817	memset(bbp, 0xff, PAGE_SIZE);
1818		1818
1819	for (i = 0 ; i < bb->count ; i++) {	1819	for (i = 0 ; i < bb->count ; i++) {
1820	u64 internal_bb = *p++;	1820	u64 internal_bb = p[i];
1821	u64 store_bb = ((BB_OFFSET(internal_bb) << 10)	1821	u64 store_bb = ((BB_OFFSET(internal_bb) << 10)
1822	\| BB_LEN(internal_bb));	1822	\| BB_LEN(internal_bb));
1823	*bbp++ = cpu_to_le64(store_bb);	1823	bbp[i] = cpu_to_le64(store_bb);
1824	}	1824	}
1825	bb->changed = 0;	1825	bb->changed = 0;
1826	if (read_seqretry(&bb->lock, seq))	1826	if (read_seqretry(&bb->lock, seq))