From 3af727f5f75f4ed1c2a06b577bbc72d20cd5efce Mon Sep 17 00:00:00 2001
From: shadow <shadow>
Date: Wed, 16 Jul 2008 06:10:19 +0000
Subject: [PATCH] Access to array[-1] can produce panic if kernel compiled with
 CONFIG_PAGE_ALLOC enabled

Branch HEAD

b=12975
i=green
i=adilger
---
 lustre/ChangeLog         |  7 +++++++
 lustre/osc/osc_request.c | 12 +++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/lustre/ChangeLog b/lustre/ChangeLog
index 2fa2a12014..8d5fdd271c 100644
--- a/lustre/ChangeLog
+++ b/lustre/ChangeLog
@@ -12,6 +12,13 @@ tbd  Sun Microsystems, Inc.
        * RHEL 4 and RHEL 5/SLES 10 clients behaves differently on 'cd' to a
         removed cwd "./" (refer to Bugzilla 14399).
 
+Severity   : normal
+Bugzilla   : 12975
+Frequency  : rare
+Description: Using wrong pointer in osc_brw_prep_request
+Details    : Access to array[-1] can produce panic if kernel compiled with
+             CONFIG_PAGE_ALLOC enabled
+
 Severity   : normal
 Bugzilla   : 16037
 Description: Client runs out of low memory
diff --git a/lustre/osc/osc_request.c b/lustre/osc/osc_request.c
index ec59eb95ac..e5f368cefa 100644
--- a/lustre/osc/osc_request.c
+++ b/lustre/osc/osc_request.c
@@ -1028,6 +1028,7 @@ static int osc_brw_prep_request(int cmd, struct client_obd *cli,struct obdo *oa,
         int niocount, i, requested_nob, opc, rc;
         struct osc_brw_async_args *aa;
         struct req_capsule      *pill;
+        struct brw_page *pg_prev;
 
         ENTRY;
         if (OBD_FAIL_CHECK(OBD_FAIL_OSC_BRW_PREP_REQ))
@@ -1088,9 +1089,9 @@ static int osc_brw_prep_request(int cmd, struct client_obd *cli,struct obdo *oa,
         ioobj->ioo_bufcnt = niocount;
         osc_pack_capa(req, body, ocapa);
         LASSERT (page_count > 0);
+        pg_prev = pga[0];
         for (requested_nob = i = 0; i < page_count; i++, niobuf++) {
                 struct brw_page *pg = pga[i];
-                struct brw_page *pg_prev = pga[i - 1];
 
                 LASSERT(pg->count > 0);
                 LASSERTF((pg->off & ~CFS_PAGE_MASK) + pg->count <= CFS_PAGE_SIZE,
@@ -1123,11 +1124,16 @@ static int osc_brw_prep_request(int cmd, struct client_obd *cli,struct obdo *oa,
                         niobuf->len    = pg->count;
                         niobuf->flags  = pg->flag;
                 }
+                pg_prev = pg;
         }
 
-        LASSERT((void *)(niobuf - niocount) ==
+        LASSERTF((void *)(niobuf - niocount) ==
                 lustre_msg_buf(req->rq_reqmsg, REQ_REC_OFF + 2,
-                               niocount * sizeof(*niobuf)));
+                               niocount * sizeof(*niobuf)),
+                "want %p - real %p\n", lustre_msg_buf(req->rq_reqmsg, 
+                REQ_REC_OFF + 2, niocount * sizeof(*niobuf)), 
+                (void *)(niobuf - niocount));
+
         osc_announce_cached(cli, &body->oa, opc == OST_WRITE ? requested_nob:0);
 
         /* size[REQ_REC_OFF] still sizeof (*body) */
-- 
GitLab