git-server-git.apps.pok.os.sepia.ceph.com Git

author	Jonas Pfefferle <pepperjo@japf.ch>
	Wed, 9 Mar 2022 13:26:42 +0000 (14:26 +0100)
committer	Ilya Dryomov <idryomov@gmail.com>
	Tue, 22 Mar 2022 10:16:28 +0000 (11:16 +0100)
commit	395dd0459cc7473c17da5d1d18f30fcd1623e50c
tree	836a92a669b030ff2a29febebafbd0a58aa1894f	tree \| snapshot
parent	386bc0a55fd70d9a67ce3aa3091804f77307544b	commit \| diff

librbd: readv/writev fix iovecs length computation overflow

iovec have unsigned length (size_t) and before this patch the
total length was computed by adding iovec's length to a signed
length variable (ssize_t). While the code checked if the resulting
length was negative on overflow, the case where length is positive
after overflow was not checked. This patch fixes the overflow check
by changing length to unsigned size_t.

Additionally, this patch fixes the case where some iovecs have been
added to the bufferlist and the aio completion has been blocked, but
adding an additional iovec fails because of overflow. This leads to
the UserBufferDeleter trying to unblock the completion on destruction
of the bufferlist but asserting because the completion was never
armed. We avoid this by first computing the total length and checking
for overflows and iovcnt before adding them to the bufferlist.

Signed-off-by: Jonas Pfefferle <pepperjo@japf.ch>
(cherry picked from commit e50405ef857f487bc1c104bbf3e8859ea099a0c4)

src/librbd/librbd.cc		diff \| blob \| history
src/test/librbd/test_librbd.cc		diff \| blob \| history