On Wed, 2013-03-20 at 16:01 +0800, fanchaoting wrote: > when pnfs block using device mapper,if umounting later,it maybe > cause oops. we apply "1 + sizeof(bl_umount_request)" memory for > msg->data, the memory maybe overflow when we do "memcpy(&dataptr > [sizeof(bl_msg)], &bl_umount_request, sizeof(bl_umount_request))", > because the size of bl_msg is more than 1 byte. > > Signed-off-by: fanchaoting<fanchaoting@xxxxxxxxxxxxxx> > > --- > fs/nfs/blocklayout/blocklayoutdm.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/fs/nfs/blocklayout/blocklayoutdm.c b/fs/nfs/blocklayout/blocklayoutdm.c > index 737d839..8df9afa 100644 > --- a/fs/nfs/blocklayout/blocklayoutdm.c > +++ b/fs/nfs/blocklayout/blocklayoutdm.c > @@ -55,7 +55,7 @@ static void dev_remove(struct net *net, dev_t dev) > > bl_pipe_msg.bl_wq = &nn->bl_wq; > memset(msg, 0, sizeof(*msg)); > - msg->data = kzalloc(1 + sizeof(bl_umount_request), GFP_NOFS); > + msg->data = kzalloc(sizeof(bl_msg) + sizeof(bl_umount_request), GFP_NOFS); > if (!msg->data) > goto out; > Why not just move the calculation of msg->len, and then use msg->len in the above allocation? -- Trond Myklebust Linux NFS client maintainer NetApp Trond.Myklebust@xxxxxxxxxx www.netapp.com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
