git.baikalelectronics.ru Git - kernel.git/commit

author	Darrick J. Wong <darrick.wong@oracle.com>
	Thu, 26 Jan 2017 17:50:30 +0000 (09:50 -0800)
committer	Darrick J. Wong <darrick.wong@oracle.com>
	Thu, 26 Jan 2017 17:50:30 +0000 (09:50 -0800)
commit	d93c43297b64eddd47da49688bd513d31f984788
tree	8e9682fcde7119274d457f7dd2238dde049c2834	tree \| snapshot
parent	9cdedea1b8545a6ae52830ec29b91f368345a4ae	commit \| diff

xfs: fix bmv_count confusion w/ shared extents

In a bmapx call, bmv_count is the total size of the array, including the
zeroth element that userspace uses to supply the search key.  The output
array starts at offset 1 so that we can set up the user for the next
invocation.  Since we now can split an extent into multiple bmap records
due to shared/unshared status, we have to be careful that we don't
overflow the output array.

In the original patch f1553baf919 ("xfs: teach get_bmapx about shared
extents and the CoW fork") I used cur_ext (the output index) to check
for overflows, albeit with an off-by-one error.  Since nexleft no longer
describes the number of unfilled slots in the output, we can rip all
that out and use cur_ext for the overflow check directly.

Failure to do this causes heap corruption in bmapx callers such as
xfs_io and xfs_scrub.  xfs/328 can reproduce this problem.

Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>