md: guard against possible bad array geometry in v1 metadata

Make sure the data doesn't start before the end of the superblock when the
superblock is at the start of the device.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 6 insertions, 2 deletions

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 7da6ec244e15..b375de5c1af2 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1105,7 +1105,11 @@ static int super_1_load(mdk_rdev_t *rdev, mdk_rdev_t *refdev, int minor_version)
         rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
         bmask = queue_hardsect_size(rdev->bdev->bd_disk->queue)-1;
         if (rdev->sb_size & bmask)
-                rdev-> sb_size = (rdev->sb_size | bmask)+1;
+                rdev->sb_size = (rdev->sb_size | bmask) + 1;
+
+        if (minor_version
+            && rdev->data_offset < sb_offset + (rdev->sb_size/512))
+                return -EINVAL;
 
         if (sb->level == cpu_to_le32(LEVEL_MULTIPATH))
                 rdev->desc_nr = -1;
@@ -1137,7 +1141,7 @@ static int super_1_load(mdk_rdev_t *rdev, mdk_rdev_t *refdev, int minor_version)
                 else
                         ret = 0;
         }
-        if (minor_version) 
+        if (minor_version)
                 rdev->size = ((rdev->bdev->bd_inode->i_size>>9) - le64_to_cpu(sb->data_offset)) / 2;
         else
                 rdev->size = rdev->sb_offset;