crush: fix crash from invalid 'take' argument

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Verify that the 'take' argument is a valid device or bucket.
Otherwise ignore it (do not add the value to the working vector).

Reflects ceph.git commit 9324d0a1af61e1c234cc48e2175b4e6320fff8f4.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

Ilya Dryomov 10 years ago 8f529795 687265e5

+9 -2

1 changed file

expand all

net

ceph

crush

mapper.c

+9 -2

net/ceph/crush/mapper.c

··· 790 790 791 791 switch (curstep->op) { 792 792 case CRUSH_RULE_TAKE: 793 - w[0] = curstep->arg1; 794 - wsize = 1; 793 + if ((curstep->arg1 >= 0 && 794 + curstep->arg1 < map->max_devices) || 795 + (-1-curstep->arg1 < map->max_buckets && 796 + map->buckets[-1-curstep->arg1])) { 797 + w[0] = curstep->arg1; 798 + wsize = 1; 799 + } else { 800 + dprintk(" bad take value %d\n", curstep->arg1); 801 + } 795 802 break; 796 803 797 804 case CRUSH_RULE_SET_CHOOSE_TRIES: