ore: Fix out-of-bounds access in _ios_obj()
_ios_obj() is accessed by group_index not device_table index. The oc->comps array is only a group_full of devices at a time it is not like ore_comp_dev() which is indexed by a global device_table index. This did not BUG until now because exofs only uses a single COMP for all devices. But with other FSs like PanFS this is not true. This bug was only in the write_path, all other users were using it correctly [This is a bug since 3.2 Kernel] CC: Stable Tree <stable@kernel.org> Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
This commit is contained in:
Boaz Harrosh
Родитель
be388f3d9a
Коммит
9e62bb4458
|
|
@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp)
|
||||||
bio->bi_rw |= REQ_WRITE;
|
bio->bi_rw |= REQ_WRITE;
|
||||||
}
|
}
|
||||||
|
|
||||||
osd_req_write(or, _ios_obj(ios, dev), per_dev->offset,
|
osd_req_write(or, _ios_obj(ios, cur_comp),
|
||||||
bio, per_dev->length);
|
per_dev->offset, bio, per_dev->length);
|
||||||
ORE_DBGMSG("write(0x%llx) offset=0x%llx "
|
ORE_DBGMSG("write(0x%llx) offset=0x%llx "
|
||||||
"length=0x%llx dev=%d\n",
|
"length=0x%llx dev=%d\n",
|
||||||
_LLU(_ios_obj(ios, dev)->id),
|
_LLU(_ios_obj(ios, cur_comp)->id),
|
||||||
_LLU(per_dev->offset),
|
_LLU(per_dev->offset),
|
||||||
_LLU(per_dev->length), dev);
|
_LLU(per_dev->length), dev);
|
||||||
} else if (ios->kern_buff) {
|
} else if (ios->kern_buff) {
|
||||||
|
|
@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp)
|
||||||
(ios->si.unit_off + ios->length >
|
(ios->si.unit_off + ios->length >
|
||||||
ios->layout->stripe_unit));
|
ios->layout->stripe_unit));
|
||||||
|
|
||||||
ret = osd_req_write_kern(or, _ios_obj(ios, per_dev->dev),
|
ret = osd_req_write_kern(or, _ios_obj(ios, cur_comp),
|
||||||
per_dev->offset,
|
per_dev->offset,
|
||||||
ios->kern_buff, ios->length);
|
ios->kern_buff, ios->length);
|
||||||
if (unlikely(ret))
|
if (unlikely(ret))
|
||||||
goto out;
|
goto out;
|
||||||
ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx "
|
ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx "
|
||||||
"length=0x%llx dev=%d\n",
|
"length=0x%llx dev=%d\n",
|
||||||
_LLU(_ios_obj(ios, dev)->id),
|
_LLU(_ios_obj(ios, cur_comp)->id),
|
||||||
_LLU(per_dev->offset),
|
_LLU(per_dev->offset),
|
||||||
_LLU(ios->length), per_dev->dev);
|
_LLU(ios->length), per_dev->dev);
|
||||||
} else {
|
} else {
|
||||||
osd_req_set_attributes(or, _ios_obj(ios, dev));
|
osd_req_set_attributes(or, _ios_obj(ios, cur_comp));
|
||||||
ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n",
|
ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n",
|
||||||
_LLU(_ios_obj(ios, dev)->id),
|
_LLU(_ios_obj(ios, cur_comp)->id),
|
||||||
ios->out_attr_len, dev);
|
ios->out_attr_len, dev);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче