diff options
| author | Yan, Zheng <zyan@redhat.com> | 2015-01-06 02:29:14 -0500 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2015-02-19 05:31:38 -0500 |
| commit | 1487a688d8ea596e6710b0d256300ab10ce99284 (patch) | |
| tree | 43bb2d70b4d933183fcf56ab1eb9ac8e3d83f1ab /fs/ceph | |
| parent | 671762f8071563847e50f45c6fb0b329e6e8cf9a (diff) | |
ceph: properly zero data pages for file holes.
A bug is found in striped_read() of fs/ceph/file.c. striped_read() calls
ceph_zero_pape_vector_range(). The first argument, page_align + read + ret,
passed to ceph_zero_pape_vector_range() is wrong.
When a file has holes, this wrong parameter may cause memory corruption
either in kernal space or user space. Kernel space memory may be corrupted in
the case of non direct IO; user space memory may be corrupted in the case of
direct IO. In the latter case, the application doing direct IO may crash due
to memory corruption, as we have experienced.
The correct value should be initial_align + read + ret, where intial_align =
o_direct ? buf_align : io_align. Compared with page_align, the current page
offest, initial_align is the initial page offest, which should be used to
calculate the page and offset in ceph_zero_pape_vector_range().
Reported-by: caifeng zhu <zhucaifeng@unissoft-nj.com>
Signed-off-by: Yan, Zheng <zyan@redhat.com>
Diffstat (limited to 'fs/ceph')
| -rw-r--r-- | fs/ceph/file.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/fs/ceph/file.c b/fs/ceph/file.c index ce74b394b49d..663da44c06b6 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c | |||
| @@ -392,13 +392,14 @@ more: | |||
| 392 | if (ret >= 0) { | 392 | if (ret >= 0) { |
| 393 | int didpages; | 393 | int didpages; |
| 394 | if (was_short && (pos + ret < inode->i_size)) { | 394 | if (was_short && (pos + ret < inode->i_size)) { |
| 395 | u64 tmp = min(this_len - ret, | 395 | int zlen = min(this_len - ret, |
| 396 | inode->i_size - pos - ret); | 396 | inode->i_size - pos - ret); |
| 397 | int zoff = (o_direct ? buf_align : io_align) + | ||
| 398 | read + ret; | ||
| 397 | dout(" zero gap %llu to %llu\n", | 399 | dout(" zero gap %llu to %llu\n", |
| 398 | pos + ret, pos + ret + tmp); | 400 | pos + ret, pos + ret + zlen); |
| 399 | ceph_zero_page_vector_range(page_align + read + ret, | 401 | ceph_zero_page_vector_range(zoff, zlen, pages); |
| 400 | tmp, pages); | 402 | ret += zlen; |
| 401 | ret += tmp; | ||
| 402 | } | 403 | } |
| 403 | 404 | ||
| 404 | didpages = (page_align + ret) >> PAGE_CACHE_SHIFT; | 405 | didpages = (page_align + ret) >> PAGE_CACHE_SHIFT; |