diff options
| author | Ilya Dryomov <ilya.dryomov@inktank.com> | 2014-01-09 13:08:21 -0500 |
|---|---|---|
| committer | Ilya Dryomov <ilya.dryomov@inktank.com> | 2014-01-14 04:27:47 -0500 |
| commit | f2be82b0058e90b5d9ac2cb896b4914276fb50ef (patch) | |
| tree | 0754bf0d97cb300fc611a2ce4527649f29cc41c6 | |
| parent | 3f0a4ac55fe036902e3666be740da63528ad8639 (diff) | |
libceph: fix preallocation check in get_reply()
The check that makes sure that we have enough memory allocated to read
in the entire header of the message in question is currently busted.
It compares front_len of the incoming message with iov_len field of
ceph_msg::front structure, which is used primarily to indicate the
amount of data already read in, and not the size of the allocated
buffer. Under certain conditions (e.g. a short read from a socket
followed by that socket's shutdown and owning ceph_connection reset)
this results in a warning similar to
[85688.975866] libceph: get_reply front 198 > preallocated 122 (4#0)
and, through another bug, leads to forever hung tasks and forced
reboots. Fix this by comparing front_len with front_alloc_len field of
struct ceph_msg, which stores the actual size of the buffer.
Fixes: http://tracker.ceph.com/issues/5425
Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
| -rw-r--r-- | net/ceph/messenger.c | 3 | ||||
| -rw-r--r-- | net/ceph/osd_client.c | 4 |
2 files changed, 3 insertions, 4 deletions
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index f4d411c017e7..252ad4e01cf8 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c | |||
| @@ -3130,7 +3130,6 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags, | |||
| 3130 | INIT_LIST_HEAD(&m->data); | 3130 | INIT_LIST_HEAD(&m->data); |
| 3131 | 3131 | ||
| 3132 | /* front */ | 3132 | /* front */ |
| 3133 | m->front_alloc_len = front_len; | ||
| 3134 | if (front_len) { | 3133 | if (front_len) { |
| 3135 | if (front_len > PAGE_CACHE_SIZE) { | 3134 | if (front_len > PAGE_CACHE_SIZE) { |
| 3136 | m->front.iov_base = __vmalloc(front_len, flags, | 3135 | m->front.iov_base = __vmalloc(front_len, flags, |
| @@ -3147,7 +3146,7 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags, | |||
| 3147 | } else { | 3146 | } else { |
| 3148 | m->front.iov_base = NULL; | 3147 | m->front.iov_base = NULL; |
| 3149 | } | 3148 | } |
| 3150 | m->front.iov_len = front_len; | 3149 | m->front_alloc_len = m->front.iov_len = front_len; |
| 3151 | 3150 | ||
| 3152 | dout("ceph_msg_new %p front %d\n", m, front_len); | 3151 | dout("ceph_msg_new %p front %d\n", m, front_len); |
| 3153 | return m; | 3152 | return m; |
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c index 7619c37bfed4..733195170490 100644 --- a/net/ceph/osd_client.c +++ b/net/ceph/osd_client.c | |||
| @@ -2522,9 +2522,9 @@ static struct ceph_msg *get_reply(struct ceph_connection *con, | |||
| 2522 | req->r_reply, req->r_reply->con); | 2522 | req->r_reply, req->r_reply->con); |
| 2523 | ceph_msg_revoke_incoming(req->r_reply); | 2523 | ceph_msg_revoke_incoming(req->r_reply); |
| 2524 | 2524 | ||
| 2525 | if (front_len > req->r_reply->front.iov_len) { | 2525 | if (front_len > req->r_reply->front_alloc_len) { |
| 2526 | pr_warning("get_reply front %d > preallocated %d (%u#%llu)\n", | 2526 | pr_warning("get_reply front %d > preallocated %d (%u#%llu)\n", |
| 2527 | front_len, (int)req->r_reply->front.iov_len, | 2527 | front_len, req->r_reply->front_alloc_len, |
| 2528 | (unsigned int)con->peer_name.type, | 2528 | (unsigned int)con->peer_name.type, |
| 2529 | le64_to_cpu(con->peer_name.num)); | 2529 | le64_to_cpu(con->peer_name.num)); |
| 2530 | m = ceph_msg_new(CEPH_MSG_OSD_OPREPLY, front_len, GFP_NOFS, | 2530 | m = ceph_msg_new(CEPH_MSG_OSD_OPREPLY, front_len, GFP_NOFS, |