Commit 9e62bb44 authored by Boaz Harrosh's avatar Boaz Harrosh

ore: Fix out-of-bounds access in _ios_obj()

_ios_obj() is accessed by group_index not device_table index.

The oc->comps array is only a group_full of devices at a time
it is not like ore_comp_dev() which is indexed by a global
device_table index.

This did not BUG until now because exofs only uses a single
COMP for all devices. But with other FSs like PanFS this is
not true.

This bug was only in the write_path, all other users were
using it correctly

[This is a bug since 3.2 Kernel]
CC: Stable Tree <stable@kernel.org>
Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
parent be388f3d
...@@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp) ...@@ -837,11 +837,11 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp)
bio->bi_rw |= REQ_WRITE; bio->bi_rw |= REQ_WRITE;
} }
osd_req_write(or, _ios_obj(ios, dev), per_dev->offset, osd_req_write(or, _ios_obj(ios, cur_comp),
bio, per_dev->length); per_dev->offset, bio, per_dev->length);
ORE_DBGMSG("write(0x%llx) offset=0x%llx " ORE_DBGMSG("write(0x%llx) offset=0x%llx "
"length=0x%llx dev=%d\n", "length=0x%llx dev=%d\n",
_LLU(_ios_obj(ios, dev)->id), _LLU(_ios_obj(ios, cur_comp)->id),
_LLU(per_dev->offset), _LLU(per_dev->offset),
_LLU(per_dev->length), dev); _LLU(per_dev->length), dev);
} else if (ios->kern_buff) { } else if (ios->kern_buff) {
...@@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp) ...@@ -853,20 +853,20 @@ static int _write_mirror(struct ore_io_state *ios, int cur_comp)
(ios->si.unit_off + ios->length > (ios->si.unit_off + ios->length >
ios->layout->stripe_unit)); ios->layout->stripe_unit));
ret = osd_req_write_kern(or, _ios_obj(ios, per_dev->dev), ret = osd_req_write_kern(or, _ios_obj(ios, cur_comp),
per_dev->offset, per_dev->offset,
ios->kern_buff, ios->length); ios->kern_buff, ios->length);
if (unlikely(ret)) if (unlikely(ret))
goto out; goto out;
ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx " ORE_DBGMSG2("write_kern(0x%llx) offset=0x%llx "
"length=0x%llx dev=%d\n", "length=0x%llx dev=%d\n",
_LLU(_ios_obj(ios, dev)->id), _LLU(_ios_obj(ios, cur_comp)->id),
_LLU(per_dev->offset), _LLU(per_dev->offset),
_LLU(ios->length), per_dev->dev); _LLU(ios->length), per_dev->dev);
} else { } else {
osd_req_set_attributes(or, _ios_obj(ios, dev)); osd_req_set_attributes(or, _ios_obj(ios, cur_comp));
ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n", ORE_DBGMSG2("obj(0x%llx) set_attributes=%d dev=%d\n",
_LLU(_ios_obj(ios, dev)->id), _LLU(_ios_obj(ios, cur_comp)->id),
ios->out_attr_len, dev); ios->out_attr_len, dev);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment