Skip to content

Commit

Permalink
libceph: fail sparse-read if the data length doesn't match
Browse files Browse the repository at this point in the history 
[ Upstream commit cd7d469 ]

Once this happens that means there have bugs.

Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@lxbsz @gregkh
lxbsz authored and gregkh committed Mar 1, 2024
1 parent 9fe6ad6 commit 7d7046a
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 4 deletions.
3 changes: 2 additions & 1 deletion include/linux/ceph/osd_client.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ enum ceph_sparse_read_state {
CEPH_SPARSE_READ_HDR = 0,
CEPH_SPARSE_READ_EXTENTS,
CEPH_SPARSE_READ_DATA_LEN,
CEPH_SPARSE_READ_DATA_PRE,
CEPH_SPARSE_READ_DATA,
};

Expand All @@ -64,7 +65,7 @@ struct ceph_sparse_read {
u64 sr_req_len; /* orig request length */
u64 sr_pos; /* current pos in buffer */
int sr_index; /* current extent index */
__le32 sr_datalen; /* length of actual data */
u32 sr_datalen; /* length of actual data */
u32 sr_count; /* extent count in reply */
int sr_ext_len; /* length of extent array */
struct ceph_sparse_extent *sr_extent; /* extent array */
Expand Down
18 changes: 15 additions & 3 deletions net/ceph/osd_client.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5856,8 +5856,8 @@ static int osd_sparse_read(struct ceph_connection *con,
struct ceph_osd *o = con->private;
struct ceph_sparse_read *sr = &o->o_sparse_read;
u32 count = sr->sr_count;
u64 eoff, elen;
int ret;
u64 eoff, elen, len = 0;
int i, ret;

switch (sr->sr_state) {
case CEPH_SPARSE_READ_HDR:
Expand Down Expand Up @@ -5909,8 +5909,20 @@ static int osd_sparse_read(struct ceph_connection *con,
convert_extent_map(sr);
ret = sizeof(sr->sr_datalen);
*pbuf = (char *)&sr->sr_datalen;
sr->sr_state = CEPH_SPARSE_READ_DATA;
sr->sr_state = CEPH_SPARSE_READ_DATA_PRE;
break;
case CEPH_SPARSE_READ_DATA_PRE:
/* Convert sr_datalen to host-endian */
sr->sr_datalen = le32_to_cpu((__force __le32)sr->sr_datalen);
for (i = 0; i < count; i++)
len += sr->sr_extent[i].len;
if (sr->sr_datalen != len) {
pr_warn_ratelimited("data len %u != extent len %llu\n",
sr->sr_datalen, len);
return -EREMOTEIO;
}
sr->sr_state = CEPH_SPARSE_READ_DATA;
fallthrough;
case CEPH_SPARSE_READ_DATA:
if (sr->sr_index >= count) {
sr->sr_state = CEPH_SPARSE_READ_HDR;
Expand Down

0 comments on commit 7d7046a

Please sign in to comment.