releases/3.5.2/ore-fix-out-of-bounds-access-in-_ios_obj.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 9e62bb4458ad2cf28bd701aa5fab380b846db326 Mon Sep 17 00:00:00 2001
 From: Boaz Harrosh <bharrosh@panasas.com>
 Date: Wed, 1 Aug 2012 17:48:36 +0300
 Subject: ore: Fix out-of-bounds access in _ios_obj()

 From: Boaz Harrosh <bharrosh@panasas.com>

 commit 9e62bb4458ad2cf28bd701aa5fab380b846db326 upstream.

 _ios_obj() is accessed by group_index not device_table index.

 The oc->comps array is only a group_full of devices at a time
 it is not like ore_comp_dev() which is indexed by a global
 device_table index.

 This did not BUG until now because exofs only uses a single
 COMP for all devices. But with other FSs like PanFS this is
 not true.

 This bug was only in the write_path, all other users were
 using it correctly

 [This is a bug since 3.2 Kernel]

 Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/exofs/ore.c |   14 +++++++-------
  1 file changed, 7 insertions(+), 7 deletions(-)

 --- a/fs/exofs/ore.c
 +++ b/fs/exofs/ore.c
 @@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_s
  				bio->bi_rw |= REQ_WRITE;
  			}

 -			osd_req_write(or, _ios_obj(ios, dev), per_dev->offset,
 -				      bio, per_dev->length);
 +			osd_req_write(or, _ios_obj(ios, cur_comp),
 +				      per_dev->offset, bio, per_dev->length);
  			ORE_DBGMSG("write(0x%llx) offset=0x%llx "
  				      "length=0x%llx dev=%d\n",
 -				     _LLU(_ios_obj(ios, dev)->id),
 +				     _LLU(_ios_obj(ios, cur_comp)->id),
  				     _LLU(per_dev->offset),
  				     _LLU(per_dev->length), dev);
  		} else if (ios->kern_buff) {
 @@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_s
  			       (ios->si.unit_off + ios->length >
  				ios->layout->stripe_unit));

 -			ret = osd_req_write_kern(or, _ios_obj(ios, per_dev->dev),
 +			ret = osd_req_write_kern(or, _ios_obj(ios, cur_comp),
  						 per_dev->offset,
  						 ios->kern_buff, ios->length);
  			if (unlikely(ret))
  				goto out;
  			ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx "
  				      "length=0x%llx dev=%d\n",
 -				     _LLU(_ios_obj(ios, dev)->id),
 +				     _LLU(_ios_obj(ios, cur_comp)->id),
  				     _LLU(per_dev->offset),
  				     _LLU(ios->length), per_dev->dev);
  		} else {
 -			osd_req_set_attributes(or, _ios_obj(ios, dev));
 +			osd_req_set_attributes(or, _ios_obj(ios, cur_comp));
  			ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n",
 -				     _LLU(_ios_obj(ios, dev)->id),
 +				     _LLU(_ios_obj(ios, cur_comp)->id),
  				     ios->out_attr_len, dev);
  		}
	From 9e62bb4458ad2cf28bd701aa5fab380b846db326 Mon Sep 17 00:00:00 2001
	From: Boaz Harrosh <bharrosh@panasas.com>
	Date: Wed, 1 Aug 2012 17:48:36 +0300
	Subject: ore: Fix out-of-bounds access in _ios_obj()

	From: Boaz Harrosh <bharrosh@panasas.com>

	commit 9e62bb4458ad2cf28bd701aa5fab380b846db326 upstream.

	_ios_obj() is accessed by group_index not device_table index.

	The oc->comps array is only a group_full of devices at a time
	it is not like ore_comp_dev() which is indexed by a global
	device_table index.

	This did not BUG until now because exofs only uses a single
	COMP for all devices. But with other FSs like PanFS this is
	not true.

	This bug was only in the write_path, all other users were
	using it correctly

	[This is a bug since 3.2 Kernel]

	Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/exofs/ore.c \| 14 +++++++-------
	1 file changed, 7 insertions(+), 7 deletions(-)

	--- a/fs/exofs/ore.c
	+++ b/fs/exofs/ore.c
	@@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_s
	bio->bi_rw \|= REQ_WRITE;
	}

	- osd_req_write(or, _ios_obj(ios, dev), per_dev->offset,
	- bio, per_dev->length);
	+ osd_req_write(or, _ios_obj(ios, cur_comp),
	+ per_dev->offset, bio, per_dev->length);
	ORE_DBGMSG("write(0x%llx) offset=0x%llx "
	"length=0x%llx dev=%d\n",
	- _LLU(_ios_obj(ios, dev)->id),
	+ _LLU(_ios_obj(ios, cur_comp)->id),
	_LLU(per_dev->offset),
	_LLU(per_dev->length), dev);
	} else if (ios->kern_buff) {
	@@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_s
	(ios->si.unit_off + ios->length >
	ios->layout->stripe_unit));

	- ret = osd_req_write_kern(or, _ios_obj(ios, per_dev->dev),
	+ ret = osd_req_write_kern(or, _ios_obj(ios, cur_comp),
	per_dev->offset,
	ios->kern_buff, ios->length);
	if (unlikely(ret))
	goto out;
	ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx "
	"length=0x%llx dev=%d\n",
	- _LLU(_ios_obj(ios, dev)->id),
	+ _LLU(_ios_obj(ios, cur_comp)->id),
	_LLU(per_dev->offset),
	_LLU(ios->length), per_dev->dev);
	} else {
	- osd_req_set_attributes(or, _ios_obj(ios, dev));
	+ osd_req_set_attributes(or, _ios_obj(ios, cur_comp));
	ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n",
	- _LLU(_ios_obj(ios, dev)->id),
	+ _LLU(_ios_obj(ios, cur_comp)->id),
	ios->out_attr_len, dev);
	}