From: Adam Kwolek <adam.kwolek@intel.com>
Date: Mon, 31 Jan 2011 23:40:56 +0000 (+1100)
Subject: imsm: FIX: map coping causes mdmon crash
X-Git-Tag: mdadm-3.2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1dfaa38015ec7536eee46cb3f814d7fd4d3f689d;p=thirdparty%2Fmdadm.git

imsm: FIX: map coping causes mdmon crash

Too big map was copied (outside allocated memory) and this causes
mdmon crash for 2 raid0 arrays in container.
Map of correct (smaller) size should be copied,
to not overwrite any internal data.

Signed-off-by: Adam Kwolek <adam.kwolek@intel.com>
Signed-off-by: NeilBrown <neilb@suse.de>
---

diff --git a/super-intel.c b/super-intel.c
index bc3e48df..5d39d5bb 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -5062,6 +5062,7 @@ static void imsm_progress_container_reshape(struct intel_super *super)
 	struct imsm_super *mpb = super->anchor;
 	int prev_disks = -1;
 	int i;
+	int copy_map_size;
 
 	for (i = 0; i < mpb->num_raid_devs; i++) {
 		struct imsm_dev *dev = get_imsm_dev(super, i);
@@ -5082,6 +5083,7 @@ static void imsm_progress_container_reshape(struct intel_super *super)
 		 * i.e it needs a migr_state
 		 */
 
+		copy_map_size = sizeof_imsm_map(map);
 		prev_num_members = map->num_members;
 		map->num_members = prev_disks;
 		dev->vol.migr_state = 1;
@@ -5092,7 +5094,7 @@ static void imsm_progress_container_reshape(struct intel_super *super)
 			set_imsm_ord_tbl_ent(map, i, i);
 		map2 = get_imsm_map(dev, 1);
 		/* Copy the current map */
-		memcpy(map2, map, sizeof_imsm_map(map));
+		memcpy(map2, map, copy_map_size);
 		map2->num_members = prev_num_members;
 
 		/* calculate new size