summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Elder <elder@inktank.com>2013-03-31 06:46:55 +0200
committerSage Weil <sage@inktank.com>2013-05-02 06:17:40 +0200
commit56fc5659162965ce3018a34c6bb8a022f3a3b33c (patch)
treee3d774b9ff1a2cb3577b8e3c1ba127cba456345e
parentlibceph: page offset must be less than page size (diff)
downloadlinux-56fc5659162965ce3018a34c6bb8a022f3a3b33c.tar.xz
linux-56fc5659162965ce3018a34c6bb8a022f3a3b33c.zip
libceph: account for alignment in pages cursor
When a cursor for a page array data message is initialized it needs to determine the initial value for cursor->last_piece. Currently it just checks if length is less than a page, but that's not correct. The data in the first page in the array will be offset by a page offset based on the alignment recorded for the data. (All pages thereafter will be aligned at the base of the page, so there's no need to account for this except for the first page.) Because this was wrong, there was a case where the length of a piece would be calculated as all of the residual bytes in the message and that plus the page offset could exceed the length of a page. So fix this case. Make sure the sum won't wrap. This resolves a third issue described in: http://tracker.ceph.com/issues/4598 Signed-off-by: Alex Elder <elder@inktank.com> Reviewed-by: Sage Weil <sage@inktank.com>
-rw-r--r--net/ceph/messenger.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 198b9026288e..ee160864e8ea 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -839,9 +839,10 @@ static void ceph_msg_data_pages_cursor_init(struct ceph_msg_data *data,
page_count = calc_pages_for(data->alignment, (u64)data->length);
cursor->page_offset = data->alignment & ~PAGE_MASK;
cursor->page_index = 0;
- BUG_ON(page_count > (int) USHRT_MAX);
- cursor->page_count = (unsigned short) page_count;
- cursor->last_piece = length <= PAGE_SIZE;
+ BUG_ON(page_count > (int)USHRT_MAX);
+ cursor->page_count = (unsigned short)page_count;
+ BUG_ON(length > SIZE_MAX - cursor->page_offset);
+ cursor->last_piece = (size_t)cursor->page_offset + length <= PAGE_SIZE;
}
static struct page *ceph_msg_data_pages_next(struct ceph_msg_data *data,