A patch to avoid data corruption in a device-mapper snapshot.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAABAgAGBQJSXfiQAAoJEK2W1qbAHj1nNXUP/1hVfXVIBMXNRmxrM9FJ1Rdj Rg30aQK0qP6MkoPmjbdsPZmApq3uI++ihTPIhKQHrW70jjs1HsOAG5e9lHZXLx4b mt3+1PNheLMf+J6zzdk1qyWYXmzs1XU/MzlhpmmkCydO0X8ONmri75FqwCZlOB0H k/80Z8Q/3vva0pLsE5ubYlPiKoI1DPsUA9qO/Dkjh4QGDllsleVK5CjQPZiJJ4Ji FkAeBYdo3BZ6ivUXx4MJRDu7N1992XhVWabwU0bEoNAj2IjHiwT0rwsNoWxOYIim NsZFTboy/Aj3819w/QdqHKGEd4kd86MnxySkzK7/D57MRz6nqiwWGljGSIzth6ta uqJB7wuq3s/1p4MVaEnaCpm0QzquNt3lgP7bXGx94Qwq9oxdgyL8ndZHQv1SpagC gZT0PuFbg5XzpXt94XUeSODODnzG6SuBass5dxHHMrZdw/9hVPAavyyC+TcBIqLr 6+8N4monhhNkZDUiUHIlTzk0YrmUDVfFlI8D7gj9mDBPf+qJsjBp8L6LdZeq0ZWs bC33oLQn/wEUv3Od1SQxMC34+xU65GT/raPg5H0xE0cRwKeloV7w9lKhiYLBbq5+ 1sKFJ/rll2cwZhpQ6UombkTzjGWK1JfsMnRFkM4B248qwf/QR9BWwLnNMP3tryyl smCkZ2DLncDKf7J8TN64 =NRC3 -----END PGP SIGNATURE----- Merge tag 'dm-3.12-fix-cve' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device-mapper fix from Alasdair Kergon: "A patch to avoid data corruption in a device-mapper snapshot. This is primarily a data corruption bug that all users of device-mapper snapshots will want to fix. The CVE is due to a data leak under specific circumstances if, for example, the snapshot is presented to a virtual machine: a block written as data inside the VM can get interpreted incorrectly on the host outside the VM as metadata, causing the host to provide the VM with access to blocks it would not otherwise see. This is likely to affect few, if any, people" * tag 'dm-3.12-fix-cve' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm snapshot: fix data corruption
This commit is contained in:
Linus Torvalds
commit
8359ffa565
|
|
@ -269,6 +269,14 @@ static chunk_t area_location(struct pstore *ps, chunk_t area)
|
|||
return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area);
|
||||
}
|
||||
|
||||
static void skip_metadata(struct pstore *ps)
|
||||
{
|
||||
uint32_t stride = ps->exceptions_per_area + 1;
|
||||
chunk_t next_free = ps->next_free;
|
||||
if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS)
|
||||
ps->next_free++;
|
||||
}
|
||||
|
||||
/*
|
||||
* Read or write a metadata area. Remembering to skip the first
|
||||
* chunk which holds the header.
|
||||
|
|
@ -502,6 +510,8 @@ static int read_exceptions(struct pstore *ps,
|
|||
|
||||
ps->current_area--;
|
||||
|
||||
skip_metadata(ps);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -616,8 +626,6 @@ static int persistent_prepare_exception(struct dm_exception_store *store,
|
|||
struct dm_exception *e)
|
||||
{
|
||||
struct pstore *ps = get_info(store);
|
||||
uint32_t stride;
|
||||
chunk_t next_free;
|
||||
sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev);
|
||||
|
||||
/* Is there enough room ? */
|
||||
|
|
@ -630,10 +638,8 @@ static int persistent_prepare_exception(struct dm_exception_store *store,
|
|||
* Move onto the next free pending, making sure to take
|
||||
* into account the location of the metadata chunks.
|
||||
*/
|
||||
stride = (ps->exceptions_per_area + 1);
|
||||
next_free = ++ps->next_free;
|
||||
if (sector_div(next_free, stride) == 1)
|
||||
ps->next_free++;
|
||||
ps->next_free++;
|
||||
skip_metadata(ps);
|
||||
|
||||
atomic_inc(&ps->pending_count);
|
||||
return 0;
|
||||
|
|
|
|||
Loading…
Reference in a new issue