diff options
author | Ilya Dryomov <ilya.dryomov@inktank.com> | 2014-08-08 04:43:39 -0400 |
---|---|---|
committer | Ilya Dryomov <ilya.dryomov@inktank.com> | 2014-08-09 03:27:32 -0400 |
commit | 5f740d7e1531099b888410e6bab13f68da9b1a4d (patch) | |
tree | b3e7b68b4b977cda4846432990a93ff5f27ec60b /net/ceph | |
parent | 9584d5082653429ea219f9739a08566478b39f16 (diff) |
libceph: set last_piece in ceph_msg_data_pages_cursor_init() correctly
Determining ->last_piece based on the value of ->page_offset + length
is incorrect because length here is the length of the entire message.
->last_piece set to false even if page array data item length is <=
PAGE_SIZE, which results in invalid length passed to
ceph_tcp_{send,recv}page() and causes various asserts to fire.
# cat pages-cursor-init.sh
#!/bin/bash
rbd create --size 10 --image-format 2 foo
FOO_DEV=$(rbd map foo)
dd if=/dev/urandom of=$FOO_DEV bs=1M &>/dev/null
rbd snap create foo@snap
rbd snap protect foo@snap
rbd clone foo@snap bar
# rbd_resize calls librbd rbd_resize(), size is in bytes
./rbd_resize bar $(((4 << 20) + 512))
rbd resize --size 10 bar
BAR_DEV=$(rbd map bar)
# trigger a 512-byte copyup -- 512-byte page array data item
dd if=/dev/urandom of=$BAR_DEV bs=1M count=1 seek=5
The problem exists only in ceph_msg_data_pages_cursor_init(),
ceph_msg_data_pages_advance() does the right thing. The size_t cast is
unnecessary.
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Diffstat (limited to 'net/ceph')
-rw-r--r-- | net/ceph/messenger.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index e51cad0db580..b2f571dd933d 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c | |||
@@ -901,7 +901,7 @@ static void ceph_msg_data_pages_cursor_init(struct ceph_msg_data_cursor *cursor, | |||
901 | BUG_ON(page_count > (int)USHRT_MAX); | 901 | BUG_ON(page_count > (int)USHRT_MAX); |
902 | cursor->page_count = (unsigned short)page_count; | 902 | cursor->page_count = (unsigned short)page_count; |
903 | BUG_ON(length > SIZE_MAX - cursor->page_offset); | 903 | BUG_ON(length > SIZE_MAX - cursor->page_offset); |
904 | cursor->last_piece = (size_t)cursor->page_offset + length <= PAGE_SIZE; | 904 | cursor->last_piece = cursor->page_offset + cursor->resid <= PAGE_SIZE; |
905 | } | 905 | } |
906 | 906 | ||
907 | static struct page * | 907 | static struct page * |