From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757603AbYCCAS0 (ORCPT ); Sun, 2 Mar 2008 19:18:26 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755149AbYCCARI (ORCPT ); Sun, 2 Mar 2008 19:17:08 -0500 Received: from ns2.suse.de ([195.135.220.15]:45659 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757879AbYCCARH (ORCPT ); Sun, 2 Mar 2008 19:17:07 -0500 From: NeilBrown To: Andrew Morton Date: Mon, 3 Mar 2008 11:17:18 +1100 Message-Id: <1080303001718.23607@suse.de> X-face: [Gw_3E*Gng}4rRrKRYotwlE?.2|**#s9D Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Make sure the data doesn't start before the end of the superblock when the superblock is at the start of the device. Signed-off-by: Neil Brown ### Diffstat output ./drivers/md/md.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff .prev/drivers/md/md.c ./drivers/md/md.c --- .prev/drivers/md/md.c 2008-02-22 15:46:10.000000000 +1100 +++ ./drivers/md/md.c 2008-02-22 15:46:10.000000000 +1100 @@ -1105,7 +1105,11 @@ static int super_1_load(mdk_rdev_t *rdev rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256; bmask = queue_hardsect_size(rdev->bdev->bd_disk->queue)-1; if (rdev->sb_size & bmask) - rdev-> sb_size = (rdev->sb_size | bmask)+1; + rdev->sb_size = (rdev->sb_size | bmask) + 1; + + if (minor_version + && rdev->data_offset < sb_offset + (rdev->sb_size/512)) + return -EINVAL; if (sb->level == cpu_to_le32(LEVEL_MULTIPATH)) rdev->desc_nr = -1; @@ -1137,7 +1141,7 @@ static int super_1_load(mdk_rdev_t *rdev else ret = 0; } - if (minor_version) + if (minor_version) rdev->size = ((rdev->bdev->bd_inode->i_size>>9) - le64_to_cpu(sb->data_offset)) / 2; else rdev->size = rdev->sb_offset;