diff options
| author | Ilya Dryomov <idryomov@gmail.com> | 2018-10-11 17:04:33 +0200 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2018-10-22 10:28:22 +0200 |
| commit | 3b83f60da6dd1becd865c1e2745123a8ae378c25 (patch) | |
| tree | 3906ff65facb39ea2580025329a795890b526c9b /net/ceph/msgpool.c | |
| parent | ceph: num_ops is off by one in ceph_aio_retry_work() (diff) | |
| download | linux-3b83f60da6dd1becd865c1e2745123a8ae378c25.tar.xz linux-3b83f60da6dd1becd865c1e2745123a8ae378c25.zip | |
libceph: enable fallback to ceph_msg_new() in ceph_msgpool_get()
ceph_msgpool_get() can fall back to ceph_msg_new() when it is asked for
a message whose front portion is larger than pool->front_len. However
the caller always passes 0, effectively disabling that code path. The
allocation goes to the message pool and returns a message with a front
that is smaller than requested, setting us up for a crash.
One example of this is a directory with a large number of snapshots.
If its snap context doesn't fit, we oops in encode_request_partial().
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'net/ceph/msgpool.c')
| -rw-r--r-- | net/ceph/msgpool.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ceph/msgpool.c b/net/ceph/msgpool.c index 72571535883f..3dddc074f0d7 100644 --- a/net/ceph/msgpool.c +++ b/net/ceph/msgpool.c @@ -61,7 +61,7 @@ struct ceph_msg *ceph_msgpool_get(struct ceph_msgpool *pool, if (front_len > pool->front_len) { dout("msgpool_get %s need front %d, pool size is %d\n", pool->name, front_len, pool->front_len); - WARN_ON(1); + WARN_ON_ONCE(1); /* try to alloc a fresh message */ return ceph_msg_new(pool->type, front_len, GFP_NOFS, false); |