| From 82cd003a77173c91b9acad8033fb7931dac8d751 Mon Sep 17 00:00:00 2001 |
| From: Ilya Dryomov <idryomov@gmail.com> |
| Date: Mon, 29 Jun 2015 19:30:23 +0300 |
| Subject: crush: fix a bug in tree bucket decode |
| |
| From: Ilya Dryomov <idryomov@gmail.com> |
| |
| commit 82cd003a77173c91b9acad8033fb7931dac8d751 upstream. |
| |
| struct crush_bucket_tree::num_nodes is u8, so ceph_decode_8_safe() |
| should be used. -Wconversion catches this, but I guess it went |
| unnoticed in all the noise it spews. The actual problem (at least for |
| common crushmaps) isn't the u32 -> u8 truncation though - it's the |
| advancement by 4 bytes instead of 1 in the crushmap buffer. |
| |
| Fixes: http://tracker.ceph.com/issues/2759 |
| |
| Signed-off-by: Ilya Dryomov <idryomov@gmail.com> |
| Reviewed-by: Josh Durgin <jdurgin@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/ceph/osdmap.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/ceph/osdmap.c |
| +++ b/net/ceph/osdmap.c |
| @@ -89,7 +89,7 @@ static int crush_decode_tree_bucket(void |
| { |
| int j; |
| dout("crush_decode_tree_bucket %p to %p\n", *p, end); |
| - ceph_decode_32_safe(p, end, b->num_nodes, bad); |
| + ceph_decode_8_safe(p, end, b->num_nodes, bad); |
| b->node_weights = kcalloc(b->num_nodes, sizeof(u32), GFP_NOFS); |
| if (b->node_weights == NULL) |
| return -ENOMEM; |
