git.apps.os.sepia.ceph.com Git

author	Jonas Pfefferle <pepperjo@japf.ch>
	Wed, 9 Mar 2022 13:26:42 +0000 (14:26 +0100)
committer	Ilya Dryomov <idryomov@gmail.com>
	Tue, 22 Mar 2022 11:58:02 +0000 (12:58 +0100)
commit	7afdead760d049b11b9a036d4dd791bf10e7eef0
tree	1f06a7713118828d2205f4799c96c081d873a986	tree \| snapshot
parent	065c9d29f7426c283cf80fed433ed59efc43fe5e	commit \| diff

librbd: readv/writev fix iovecs length computation overflow

iovec have unsigned length (size_t) and before this patch the
total length was computed by adding iovec's length to a signed
length variable (ssize_t). While the code checked if the resulting
length was negative on overflow, the case where length is positive
after overflow was not checked. This patch fixes the overflow check
by changing length to unsigned size_t.

Additionally, this patch fixes the case where some iovecs have been
added to the bufferlist and the aio completion has been blocked, but
adding an additional iovec fails because of overflow. This leads to
the UserBufferDeleter trying to unblock the completion on destruction
of the bufferlist but asserting because the completion was never
armed. We avoid this by first computing the total length and checking
for overflows and iovcnt before adding them to the bufferlist.

Signed-off-by: Jonas Pfefferle <pepperjo@japf.ch>
(cherry picked from commit e50405ef857f487bc1c104bbf3e8859ea099a0c4)

Conflicts:
src/librbd/librbd.cc [ commit b12b8c447a41 ("librbd: switch
to new api::Io dispatch helper methods") not in octopus ]

src/librbd/librbd.cc		diff \| blob \| history
src/test/librbd/test_librbd.cc		diff \| blob \| history