diff options
| author | Li Zefan <lizf@cn.fujitsu.com> | 2011-02-16 01:06:41 -0500 |
|---|---|---|
| committer | Chris Mason <chris.mason@oracle.com> | 2011-02-16 15:37:58 -0500 |
| commit | ca9b688c1c9a21635cfc8af8b68565b154185196 (patch) | |
| tree | bfc9eed8a9099503645b467733707246b246ed19 /fs | |
| parent | b4dc2b8c694ead005b828f5fb7fa1134db5b6275 (diff) | |
Btrfs: Avoid accessing unmapped kernel address
When decompressing a chunk of data, we'll copy the data out to
a working buffer if the data is stored in more than one page,
otherwise we'll use the mapped page directly to avoid memory
copy.
In the latter case, we'll end up accessing the kernel address
after we've unmapped the page in a corner case.
Reported-by: Juan Francisco Cantero Hurtado <iam@juanfra.info>
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/btrfs/lzo.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c index cc9b450399df..a178f5ebea78 100644 --- a/fs/btrfs/lzo.c +++ b/fs/btrfs/lzo.c | |||
| @@ -280,6 +280,7 @@ static int lzo_decompress_biovec(struct list_head *ws, | |||
| 280 | unsigned long tot_out; | 280 | unsigned long tot_out; |
| 281 | unsigned long tot_len; | 281 | unsigned long tot_len; |
| 282 | char *buf; | 282 | char *buf; |
| 283 | bool may_late_unmap, need_unmap; | ||
| 283 | 284 | ||
| 284 | data_in = kmap(pages_in[0]); | 285 | data_in = kmap(pages_in[0]); |
| 285 | tot_len = read_compress_length(data_in); | 286 | tot_len = read_compress_length(data_in); |
| @@ -300,11 +301,13 @@ static int lzo_decompress_biovec(struct list_head *ws, | |||
| 300 | 301 | ||
| 301 | tot_in += in_len; | 302 | tot_in += in_len; |
| 302 | working_bytes = in_len; | 303 | working_bytes = in_len; |
| 304 | may_late_unmap = need_unmap = false; | ||
| 303 | 305 | ||
| 304 | /* fast path: avoid using the working buffer */ | 306 | /* fast path: avoid using the working buffer */ |
| 305 | if (in_page_bytes_left >= in_len) { | 307 | if (in_page_bytes_left >= in_len) { |
| 306 | buf = data_in + in_offset; | 308 | buf = data_in + in_offset; |
| 307 | bytes = in_len; | 309 | bytes = in_len; |
| 310 | may_late_unmap = true; | ||
| 308 | goto cont; | 311 | goto cont; |
| 309 | } | 312 | } |
| 310 | 313 | ||
| @@ -329,14 +332,17 @@ cont: | |||
| 329 | if (working_bytes == 0 && tot_in >= tot_len) | 332 | if (working_bytes == 0 && tot_in >= tot_len) |
| 330 | break; | 333 | break; |
| 331 | 334 | ||
| 332 | kunmap(pages_in[page_in_index]); | 335 | if (page_in_index + 1 >= total_pages_in) { |
| 333 | page_in_index++; | ||
| 334 | if (page_in_index >= total_pages_in) { | ||
| 335 | ret = -1; | 336 | ret = -1; |
| 336 | data_in = NULL; | ||
| 337 | goto done; | 337 | goto done; |
| 338 | } | 338 | } |
| 339 | data_in = kmap(pages_in[page_in_index]); | 339 | |
| 340 | if (may_late_unmap) | ||
| 341 | need_unmap = true; | ||
| 342 | else | ||
| 343 | kunmap(pages_in[page_in_index]); | ||
| 344 | |||
| 345 | data_in = kmap(pages_in[++page_in_index]); | ||
| 340 | 346 | ||
| 341 | in_page_bytes_left = PAGE_CACHE_SIZE; | 347 | in_page_bytes_left = PAGE_CACHE_SIZE; |
| 342 | in_offset = 0; | 348 | in_offset = 0; |
| @@ -346,6 +352,8 @@ cont: | |||
| 346 | out_len = lzo1x_worst_compress(PAGE_CACHE_SIZE); | 352 | out_len = lzo1x_worst_compress(PAGE_CACHE_SIZE); |
| 347 | ret = lzo1x_decompress_safe(buf, in_len, workspace->buf, | 353 | ret = lzo1x_decompress_safe(buf, in_len, workspace->buf, |
| 348 | &out_len); | 354 | &out_len); |
| 355 | if (need_unmap) | ||
| 356 | kunmap(pages_in[page_in_index - 1]); | ||
| 349 | if (ret != LZO_E_OK) { | 357 | if (ret != LZO_E_OK) { |
| 350 | printk(KERN_WARNING "btrfs decompress failed\n"); | 358 | printk(KERN_WARNING "btrfs decompress failed\n"); |
| 351 | ret = -1; | 359 | ret = -1; |
| @@ -363,8 +371,7 @@ cont: | |||
| 363 | break; | 371 | break; |
| 364 | } | 372 | } |
| 365 | done: | 373 | done: |
| 366 | if (data_in) | 374 | kunmap(pages_in[page_in_index]); |
| 367 | kunmap(pages_in[page_in_index]); | ||
| 368 | return ret; | 375 | return ret; |
| 369 | } | 376 | } |
| 370 | 377 | ||