• Mikulas Patocka's avatar
    dm table: remove unused buggy code that extends the targets array · 57a2f238
    Mikulas Patocka authored
    A device mapper table is allocated in the following way:
    * The function dm_table_create is called, it gets the number of targets
      as an argument -- it allocates a targets array accordingly.
    * For each target, we call dm_table_add_target.
    
    If we add more targets than were specified in dm_table_create, the
    function dm_table_add_target reallocates the targets array.  However,
    this reallocation code is wrong - it moves the targets array to a new
    location, while some target constructors hold pointers to the array in
    the old location.
    
    The following DM target drivers save the pointer to the target
    structure, so they corrupt memory if the target array is moved:
    multipath, raid, mirror, snapshot, stripe, switch, thin, verity.
    
    Under normal circumstances, the reallocation function is not called
    (because dm_table_create is called with the correct number of targets),
    so the buggy reallocation code is not used.
    
    Prior to the fix "dm table: fail dm_table_create on dm_round_up
    overflow", the reallocation code could only be used in case the user
    specifies too large a value in param->target_count, such as 0xffffffff.
    Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
    57a2f238
dm-table.c 38.3 KB