mirror of
https://github.com/torvalds/linux.git
synced 2024-11-10 14:11:52 +00:00
libceph: enable fallback to ceph_msg_new() in ceph_msgpool_get()
ceph_msgpool_get() can fall back to ceph_msg_new() when it is asked for a message whose front portion is larger than pool->front_len. However the caller always passes 0, effectively disabling that code path. The allocation goes to the message pool and returns a message with a front that is smaller than requested, setting us up for a crash. One example of this is a directory with a large number of snapshots. If its snap context doesn't fit, we oops in encode_request_partial(). Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
This commit is contained in:
parent
61d2f85504
commit
3b83f60da6
@ -61,7 +61,7 @@ struct ceph_msg *ceph_msgpool_get(struct ceph_msgpool *pool,
|
|||||||
if (front_len > pool->front_len) {
|
if (front_len > pool->front_len) {
|
||||||
dout("msgpool_get %s need front %d, pool size is %d\n",
|
dout("msgpool_get %s need front %d, pool size is %d\n",
|
||||||
pool->name, front_len, pool->front_len);
|
pool->name, front_len, pool->front_len);
|
||||||
WARN_ON(1);
|
WARN_ON_ONCE(1);
|
||||||
|
|
||||||
/* try to alloc a fresh message */
|
/* try to alloc a fresh message */
|
||||||
return ceph_msg_new(pool->type, front_len, GFP_NOFS, false);
|
return ceph_msg_new(pool->type, front_len, GFP_NOFS, false);
|
||||||
|
@ -641,7 +641,7 @@ int ceph_osdc_alloc_messages(struct ceph_osd_request *req, gfp_t gfp)
|
|||||||
msg_size += 4 + 8; /* retry_attempt, features */
|
msg_size += 4 + 8; /* retry_attempt, features */
|
||||||
|
|
||||||
if (req->r_mempool)
|
if (req->r_mempool)
|
||||||
msg = ceph_msgpool_get(&osdc->msgpool_op, 0);
|
msg = ceph_msgpool_get(&osdc->msgpool_op, msg_size);
|
||||||
else
|
else
|
||||||
msg = ceph_msg_new(CEPH_MSG_OSD_OP, msg_size, gfp, true);
|
msg = ceph_msg_new(CEPH_MSG_OSD_OP, msg_size, gfp, true);
|
||||||
if (!msg)
|
if (!msg)
|
||||||
@ -656,7 +656,7 @@ int ceph_osdc_alloc_messages(struct ceph_osd_request *req, gfp_t gfp)
|
|||||||
msg_size += req->r_num_ops * sizeof(struct ceph_osd_op);
|
msg_size += req->r_num_ops * sizeof(struct ceph_osd_op);
|
||||||
|
|
||||||
if (req->r_mempool)
|
if (req->r_mempool)
|
||||||
msg = ceph_msgpool_get(&osdc->msgpool_op_reply, 0);
|
msg = ceph_msgpool_get(&osdc->msgpool_op_reply, msg_size);
|
||||||
else
|
else
|
||||||
msg = ceph_msg_new(CEPH_MSG_OSD_OPREPLY, msg_size, gfp, true);
|
msg = ceph_msg_new(CEPH_MSG_OSD_OPREPLY, msg_size, gfp, true);
|
||||||
if (!msg)
|
if (!msg)
|
||||||
|
Loading…
Reference in New Issue
Block a user