imsm: FIX: map coping causes mdmon crash

Too big map was copied (outside allocated memory) and this causes
mdmon crash for 2 raid0 arrays in container.
Map of correct (smaller) size should be copied,
to not overwrite any internal data.

Signed-off-by: Adam Kwolek <adam.kwolek@intel.com>
Signed-off-by: NeilBrown <neilb@suse.de>

diff --git a/super-intel.c b/super-intel.c
index bc3e48df27cf110fd38fa27ca6bc4ef7620c7943..5d39d5bbb5e780561ca7f90e0b6c0c1abd17343e 100644 (file)
--- a/super-intel.c
+++ b/super-intel.c
@@ -5062,6 +5062,7 @@ static void imsm_progress_container_reshape(struct intel_super *super)
        struct imsm_super *mpb = super->anchor;
        int prev_disks = -1;
        int i;
+       int copy_map_size;
 
        for (i = 0; i < mpb->num_raid_devs; i++) {
                struct imsm_dev *dev = get_imsm_dev(super, i);
@@ -5082,6 +5083,7 @@ static void imsm_progress_container_reshape(struct intel_super *super)
                 * i.e it needs a migr_state
                 */
 
+               copy_map_size = sizeof_imsm_map(map);
                prev_num_members = map->num_members;
                map->num_members = prev_disks;
                dev->vol.migr_state = 1;
@@ -5092,7 +5094,7 @@ static void imsm_progress_container_reshape(struct intel_super *super)
                        set_imsm_ord_tbl_ent(map, i, i);
                map2 = get_imsm_map(dev, 1);
                /* Copy the current map */
-               memcpy(map2, map, sizeof_imsm_map(map));
+               memcpy(map2, map, copy_map_size);
                map2->num_members = prev_num_members;
 
                /* calculate new size