RE: [PATCH] pnfs-block: removing DM device maybe cause oops when call dev_remove

"Peng, Tao" <tao.peng@xxxxxxx> · Wed, 20 Mar 2013 08:28:18 +0000



> -----Original Message-----
> From: linux-nfs-owner@xxxxxxxxxxxxxxx [mailto:linux-nfs-owner@xxxxxxxxxxxxxxx] On Behalf Of
> fanchaoting
> Sent: Wednesday, March 20, 2013 4:01 PM
> To: Myklebust, Trond
> Cc: linux-nfs@xxxxxxxxxxxxxxx
> Subject: [PATCH] pnfs-block: removing DM device maybe cause oops when call dev_remove
> 
> when pnfs block using device mapper,if umounting later,it maybe
> cause oops. we apply "1 + sizeof(bl_umount_request)" memory for
> msg->data, the memory maybe overflow when we do "memcpy(&dataptr
> [sizeof(bl_msg)], &bl_umount_request, sizeof(bl_umount_request))",
> because the size of bl_msg is more than 1 byte.
> 
Nice catch! I think we didn't crash before just because of data alignment (and luck for sure :-).

Thanks,
Tao
>    Signed-off-by: fanchaoting<fanchaoting@xxxxxxxxxxxxxx>
> 
> ---
>  fs/nfs/blocklayout/blocklayoutdm.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/fs/nfs/blocklayout/blocklayoutdm.c b/fs/nfs/blocklayout/blocklayoutdm.c
> index 737d839..8df9afa 100644
> --- a/fs/nfs/blocklayout/blocklayoutdm.c
> +++ b/fs/nfs/blocklayout/blocklayoutdm.c
> @@ -55,7 +55,7 @@ static void dev_remove(struct net *net, dev_t dev)
> 
>         bl_pipe_msg.bl_wq = &nn->bl_wq;
>         memset(msg, 0, sizeof(*msg));
> -       msg->data = kzalloc(1 + sizeof(bl_umount_request), GFP_NOFS);
> +       msg->data = kzalloc(sizeof(bl_msg) + sizeof(bl_umount_request), GFP_NOFS);
>         if (!msg->data)
>                 goto out;
> 
> --
> 1.7.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥