From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Boaz Harrosh <bharrosh@panasas.com>
Subject: [ 24/65] ore: Fix out-of-bounds access in _ios_obj()
Date: Mon, 13 Aug 2012 15:14:08 -0700 [thread overview]
Message-ID: <20120813221417.093549310@linuxfoundation.org> (raw)
In-Reply-To: <20120813221414.965154048@linuxfoundation.org>
From: Greg KH <gregkh@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boaz Harrosh <bharrosh@panasas.com>
commit 9e62bb4458ad2cf28bd701aa5fab380b846db326 upstream.
_ios_obj() is accessed by group_index not device_table index.
The oc->comps array is only a group_full of devices at a time
it is not like ore_comp_dev() which is indexed by a global
device_table index.
This did not BUG until now because exofs only uses a single
COMP for all devices. But with other FSs like PanFS this is
not true.
This bug was only in the write_path, all other users were
using it correctly
[This is a bug since 3.2 Kernel]
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exofs/ore.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/fs/exofs/ore.c
+++ b/fs/exofs/ore.c
@@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_s
bio->bi_rw |= REQ_WRITE;
}
- osd_req_write(or, _ios_obj(ios, dev), per_dev->offset,
- bio, per_dev->length);
+ osd_req_write(or, _ios_obj(ios, cur_comp),
+ per_dev->offset, bio, per_dev->length);
ORE_DBGMSG("write(0x%llx) offset=0x%llx "
"length=0x%llx dev=%d\n",
- _LLU(_ios_obj(ios, dev)->id),
+ _LLU(_ios_obj(ios, cur_comp)->id),
_LLU(per_dev->offset),
_LLU(per_dev->length), dev);
} else if (ios->kern_buff) {
@@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_s
(ios->si.unit_off + ios->length >
ios->layout->stripe_unit));
- ret = osd_req_write_kern(or, _ios_obj(ios, per_dev->dev),
+ ret = osd_req_write_kern(or, _ios_obj(ios, cur_comp),
per_dev->offset,
ios->kern_buff, ios->length);
if (unlikely(ret))
goto out;
ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx "
"length=0x%llx dev=%d\n",
- _LLU(_ios_obj(ios, dev)->id),
+ _LLU(_ios_obj(ios, cur_comp)->id),
_LLU(per_dev->offset),
_LLU(ios->length), per_dev->dev);
} else {
- osd_req_set_attributes(or, _ios_obj(ios, dev));
+ osd_req_set_attributes(or, _ios_obj(ios, cur_comp));
ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n",
- _LLU(_ios_obj(ios, dev)->id),
+ _LLU(_ios_obj(ios, cur_comp)->id),
ios->out_attr_len, dev);
}
next prev parent reply other threads:[~2012-08-13 22:28 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-13 22:13 [ 00/65] 3.4.9-stable review Greg Kroah-Hartman
2012-08-13 22:13 ` [ 01/65] [IA64] Redefine ATOMIC_INIT and ATOMIC64_INIT to drop the casts Greg Kroah-Hartman
2012-08-13 22:13 ` [ 02/65] asus-wmi: use ASUS_WMI_METHODID_DSTS2 as default DSTS ID Greg Kroah-Hartman
2012-08-13 22:13 ` [ 03/65] sunrpc: clnt: Add missing braces Greg Kroah-Hartman
2012-08-13 22:13 ` [ 04/65] SUNRPC: return negative value in case rpcbind client creation error Greg Kroah-Hartman
2012-08-13 22:13 ` [ 05/65] nilfs2: fix deadlock issue between chcp and thaw ioctls Greg Kroah-Hartman
2012-08-13 22:13 ` [ 06/65] media: ene_ir: Fix driver initialisation Greg Kroah-Hartman
2012-08-13 22:13 ` [ 07/65] pcdp: use early_ioremap/early_iounmap to access pcdp table Greg Kroah-Hartman
2012-08-13 22:13 ` [ 08/65] mm: fix wrong argument of migrate_huge_pages() in soft_offline_huge_page() Greg Kroah-Hartman
2012-08-13 22:13 ` [ 09/65] ARM: 7466/1: disable interrupt before spinning endlessly Greg Kroah-Hartman
2012-08-13 22:13 ` [ 10/65] ARM: 7467/1: mutex: use generic xchg-based implementation for ARMv6+ Greg Kroah-Hartman
2012-08-15 4:29 ` Ben Hutchings
2012-08-15 9:10 ` Will Deacon
2012-08-13 22:13 ` [ 11/65] ARM: 7476/1: vfp: only clear vfp state for current cpu in vfp_pm_suspend Greg Kroah-Hartman
2012-08-13 22:13 ` [ 12/65] ARM: 7477/1: vfp: Always save VFP state in vfp_pm_suspend on UP Greg Kroah-Hartman
2012-08-13 22:13 ` [ 13/65] ARM: 7478/1: errata: extend workaround for erratum #720789 Greg Kroah-Hartman
2012-08-13 22:13 ` [ 14/65] ARM: 7479/1: mm: avoid NULL dereference when flushing gate_vma with VIVT caches Greg Kroah-Hartman
2012-08-13 22:13 ` [ 15/65] ARM: 7480/1: only call smp_send_stop() on SMP Greg Kroah-Hartman
2012-08-13 22:14 ` [ 16/65] ARM: Fix undefined instruction exception handling Greg Kroah-Hartman
2012-08-13 22:14 ` [ 17/65] ALSA: hda - add dock support for Thinkpad T430s Greg Kroah-Hartman
2012-08-13 22:14 ` [ 18/65] ALSA: hda - add dock support for Thinkpad X230 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 19/65] ALSA: hda - remove quirk for Dell Vostro 1015 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 20/65] ALSA: hda - Fix double quirk for Quanta FL1 / Lenovo Ideapad Greg Kroah-Hartman
2012-08-13 22:14 ` [ 21/65] mm: mmu_notifier: fix freed page still mapped in secondary MMU Greg Kroah-Hartman
2012-08-13 22:14 ` [ 22/65] md/raid1: dont abort a resync on the first badblock Greg Kroah-Hartman
2012-08-13 22:14 ` [ 23/65] video/smscufx: fix line counting in fb_write Greg Kroah-Hartman
2012-08-13 22:14 ` Greg Kroah-Hartman [this message]
2012-08-13 22:14 ` [ 25/65] ACPI processor: Fix tick_broadcast_mask online/offline regression Greg Kroah-Hartman
2012-08-13 22:14 ` [ 26/65] mac80211: cancel mesh path timer Greg Kroah-Hartman
2012-08-13 22:14 ` [ 27/65] ath9k: Add PID/VID support for AR1111 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 28/65] wireless: reg: restore previous behaviour of chan->max_power calculations Greg Kroah-Hartman
2012-08-13 22:14 ` [ 29/65] x86, nops: Missing break resulting in incorrect selection on Intel Greg Kroah-Hartman
2012-08-13 22:14 ` [ 30/65] random: make add_interrupt_randomness() do something sane Greg Kroah-Hartman
2012-08-13 22:14 ` [ 31/65] random: use lockless techniques in the interrupt path Greg Kroah-Hartman
2012-08-13 22:14 ` [ 32/65] random: create add_device_randomness() interface Greg Kroah-Hartman
2012-08-13 22:14 ` [ 33/65] usb: feed USB device information to the /dev/random driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 34/65] net: feed /dev/random with the MAC address when registering a device Greg Kroah-Hartman
2012-08-13 22:14 ` [ 35/65] random: use the arch-specific rng in xfer_secondary_pool Greg Kroah-Hartman
2012-08-13 22:14 ` [ 36/65] random: add new get_random_bytes_arch() function Greg Kroah-Hartman
2012-08-13 22:14 ` [ 37/65] random: add tracepoints for easier debugging and verification Greg Kroah-Hartman
2012-08-13 22:14 ` [ 38/65] MAINTAINERS: Theodore Tso is taking over the random driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 39/65] rtc: wm831x: Feed the write counter into device_add_randomness() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 40/65] mfd: wm831x: Feed the device UUID " Greg Kroah-Hartman
2012-08-13 22:14 ` [ 41/65] random: remove rand_initialize_irq() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 42/65] random: Add comment to random_initialize() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 43/65] dmi: Feed DMI table to /dev/random driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 44/65] random: mix in architectural randomness in extract_buf() Greg Kroah-Hartman
2012-08-13 22:14 ` [ 45/65] HID: multitouch: add support for Novatek touchscreen Greg Kroah-Hartman
2012-08-13 22:14 ` [ 46/65] HID: add support for Cypress barcode scanner 04B4:ED81 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 47/65] HID: add ASUS AIO keyboard model AK1D Greg Kroah-Hartman
2012-08-13 22:14 ` [ 48/65] x86, microcode: microcode_core.c simple_strtoul cleanup Greg Kroah-Hartman
2012-08-13 22:14 ` [ 49/65] x86, microcode: Sanitize per-cpu microcode reloading interface Greg Kroah-Hartman
2012-08-13 22:14 ` [ 50/65] mm: hugetlbfs: close race during teardown of hugetlbfs shared page tables Greg Kroah-Hartman
2012-08-13 22:14 ` [ 51/65] target: Add range checking to UNMAP emulation Greg Kroah-Hartman
2012-08-13 22:14 ` [ 52/65] target: Fix reading of data length fields for UNMAP commands Greg Kroah-Hartman
2012-08-13 22:14 ` [ 53/65] target: Fix possible integer underflow in UNMAP emulation Greg Kroah-Hartman
2012-08-13 22:14 ` [ 54/65] target: Check number of unmap descriptors against our limit Greg Kroah-Hartman
2012-08-13 22:14 ` [ 55/65] ARM: mxs: Remove MMAP_MIN_ADDR setting from mxs_defconfig Greg Kroah-Hartman
2012-08-13 22:14 ` [ 56/65] ARM: dts: imx53-ard: add regulators for lan9220 Greg Kroah-Hartman
2012-08-13 22:14 ` [ 57/65] ARM: pxa: remove irq_to_gpio from ezx-pcap driver Greg Kroah-Hartman
2012-08-13 22:14 ` [ 58/65] cfg80211: process pending events when unregistering net device Greg Kroah-Hartman
2012-08-13 22:14 ` [ 59/65] cfg80211: fix interface combinations check for ADHOC(IBSS) Greg Kroah-Hartman
2012-08-13 22:14 ` [ 60/65] tun: dont zeroize sock->file on detach Greg Kroah-Hartman
2012-08-13 22:14 ` [ 61/65] iwlwifi: disable greenfield transmissions as a workaround Greg Kroah-Hartman
2012-08-13 22:14 ` [ 62/65] e1000e: NIC goes up and immediately goes down Greg Kroah-Hartman
2012-08-13 22:14 ` [ 63/65] Input: eeti_ts: pass gpio value instead of IRQ Greg Kroah-Hartman
2012-08-13 22:14 ` [ 64/65] Input: wacom - Bamboo One 1024 pressure fix Greg Kroah-Hartman
2012-08-13 22:14 ` [ 65/65] rt61pci: fix NULL pointer dereference in config_lna_gain Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120813221417.093549310@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bharrosh@panasas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).