@@ -14,6 +14,6 @@ extern int crush_find_rule(const struct crush_map *map, int ruleset, int type, i
extern int crush_do_rule(const struct crush_map *map,
int ruleno,
int x, int *result, int result_max,
- const __u32 *weights);
+ const __u32 *weights, int weight_max);
#endif
@@ -264,8 +264,12 @@ static int crush_bucket_choose(struct crush_bucket *in, int x, int r)
* true if device is marked "out" (failed, fully offloaded)
* of the cluster
*/
-static int is_out(const struct crush_map *map, const __u32 *weight, int item, int x)
+static int is_out(const struct crush_map *map,
+ const __u32 *weight, int weight_max,
+ int item, int x)
{
+ if (item >= weight_max)
+ return 1;
if (weight[item] >= 0x10000)
return 0;
if (weight[item] == 0)
@@ -292,7 +296,7 @@ static int is_out(const struct crush_map *map, const __u32 *weight, int item, in
*/
static int crush_choose(const struct crush_map *map,
struct crush_bucket *bucket,
- const __u32 *weight,
+ const __u32 *weight, int weight_max,
int x, int numrep, int type,
int *out, int outpos,
int firstn, int recurse_to_leaf,
@@ -396,7 +400,7 @@ static int crush_choose(const struct crush_map *map,
if (item < 0) {
if (crush_choose(map,
map->buckets[-1-item],
- weight,
+ weight, weight_max,
x, outpos+1, 0,
out2, outpos,
firstn, 0,
@@ -414,6 +418,7 @@ static int crush_choose(const struct crush_map *map,
/* out? */
if (itemtype == 0)
reject = is_out(map, weight,
+ weight_max,
item, x);
else
reject = 0;
@@ -470,10 +475,12 @@ reject:
* @x: hash input
* @result: pointer to result vector
* @result_max: maximum result size
+ * @weight: weight vector (for map leaves)
+ * @weight_max: size of weight vector
*/
int crush_do_rule(const struct crush_map *map,
int ruleno, int x, int *result, int result_max,
- const __u32 *weight)
+ const __u32 *weight, int weight_max)
{
int result_len;
int a[CRUSH_MAX_SET];
@@ -545,7 +552,7 @@ int crush_do_rule(const struct crush_map *map,
j = 0;
osize += crush_choose(map,
map->buckets[-1-w[i]],
- weight,
+ weight, weight_max,
x, numrep,
curstep->arg2,
o+osize, j,
@@ -1165,7 +1165,7 @@ static int *calc_pg_raw(struct ceph_osdmap *osdmap, struct ceph_pg pgid,
}
r = crush_do_rule(osdmap->crush, ruleno, pps, osds,
min_t(int, pool->size, *num),
- osdmap->osd_weight);
+ osdmap->osd_weight, osdmap->max_osd);
if (r < 0) {
pr_err("error %d from crush rule: pool %lld ruleset %d type %d"
" size %d\n", r, pgid.pool, pool->crush_ruleset,
Pass the size of the weight vector into crush_do_rule() to ensure that we don't access values past the end. This can happen if the caller misbehaves and passes a weight vector that is smaller than max_devices. Currently the monitor tries to prevent that from happening, but this will gracefully tolerate previous bad osdmaps that got into this state. It's also a bit more defensive. Reflects ceph.git commit 5922e2c2b8335b5e46c9504349c3a55b7434c01a. Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> --- include/linux/crush/mapper.h | 2 +- net/ceph/crush/mapper.c | 17 ++++++++++++----- net/ceph/osdmap.c | 2 +- 3 files changed, 14 insertions(+), 7 deletions(-)