From b146d75e3b52ff58930f7461756e6d2f2a6bcdf4 Mon Sep 17 00:00:00 2001 From: shadow Date: Tue, 24 Jul 2007 12:21:07 +0000 Subject: [PATCH] Access to array[-1] can produce panic if kernel compiled with CONFIG_PAGE_ALLOC enabled b=12975 i=adilger i=green --- lustre/ChangeLog | 7 +++++++ lustre/osc/osc_request.c | 12 +++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/lustre/ChangeLog b/lustre/ChangeLog index bd9d9f3..07b7ca9 100644 --- a/lustre/ChangeLog +++ b/lustre/ChangeLog @@ -565,6 +565,13 @@ Details : In enqueue req, the error was returned by intent, instead of does not evict the client. So enqueue error should be returned by rq_status. +Severity : normal +Bugzilla : 12975 +Frequency : rare +Description: Using wrong pointer in osc_brw_prep_request +Details : Access to array[-1] can produce panic if kernel compiled with + CONFIG_PAGE_ALLOC enabled + -------------------------------------------------------------------------------- 2007-05-03 Cluster File Systems, Inc. diff --git a/lustre/osc/osc_request.c b/lustre/osc/osc_request.c index 6fa67df..3868c5e 100644 --- a/lustre/osc/osc_request.c +++ b/lustre/osc/osc_request.c @@ -917,6 +917,7 @@ static int osc_brw_prep_request(int cmd, struct client_obd *cli,struct obdo *oa, int niocount, i, requested_nob, opc, rc; struct ptlrpc_request_pool *pool; struct osc_brw_async_args *aa; + struct brw_page *pg_prev; ENTRY; OBD_FAIL_RETURN(OBD_FAIL_OSC_BRW_PREP_REQ, -ENOMEM); /* Recoverable */ @@ -961,9 +962,9 @@ static int osc_brw_prep_request(int cmd, struct client_obd *cli,struct obdo *oa, ioobj->ioo_bufcnt = niocount; LASSERT (page_count > 0); + pg_prev = pga[0]; for (requested_nob = i = 0; i < page_count; i++, niobuf++) { struct brw_page *pg = pga[i]; - struct brw_page *pg_prev = pga[i - 1]; LASSERT(pg->count > 0); LASSERTF((pg->off & ~CFS_PAGE_MASK) + pg->count <= CFS_PAGE_SIZE, @@ -996,11 +997,16 @@ static int osc_brw_prep_request(int cmd, struct client_obd *cli,struct obdo *oa, niobuf->len = pg->count; niobuf->flags = pg->flag; } + pg_prev = pg; } - LASSERT((void *)(niobuf - niocount) == + LASSERTF((void *)(niobuf - niocount) == lustre_msg_buf(req->rq_reqmsg, REQ_REC_OFF + 2, - niocount * sizeof(*niobuf))); + niocount * sizeof(*niobuf)), + "want %p - real %p\n", lustre_msg_buf(req->rq_reqmsg, + REQ_REC_OFF + 2, niocount * sizeof(*niobuf)), + (void *)(niobuf - niocount)); + osc_announce_cached(cli, &body->oa, opc == OST_WRITE ? requested_nob:0); /* size[REQ_REC_OFF] still sizeof (*body) */ -- 1.8.3.1