From: Sage Weil <sage@redhat.com>
Date: Tue, 12 May 2015 21:03:49 +0000 (-0700)
Subject: crush: fix crash from invalid 'take' argument
X-Git-Tag: v0.94.3~41^2~1
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=56565ee1cdb06a7705d1c3f26f5592b10399324a;p=ceph.git

crush: fix crash from invalid 'take' argument

Verify that the 'take' argument is a valid device or bucket.  Otherwise,
ignore it (do not add the value to the working vector).

Backport: hammer, firefly
Fixes: #11602
Reported-by: shiva rkreddy <shiva.rkreddy@gmail.com>
Signed-off-by: Sage Weil <sage@redhat.com>
(cherry picked from commit 9324d0a1af61e1c234cc48e2175b4e6320fff8f4)
---

diff --git a/src/crush/mapper.c b/src/crush/mapper.c
index 251ab4af1f8a3..916790d74672d 100644
--- a/src/crush/mapper.c
+++ b/src/crush/mapper.c
@@ -839,8 +839,15 @@ int crush_do_rule(const struct crush_map *map,
 
 		switch (curstep->op) {
 		case CRUSH_RULE_TAKE:
-			w[0] = curstep->arg1;
-			wsize = 1;
+			if ((curstep->arg1 >= 0 &&
+			     curstep->arg1 < map->max_devices) ||
+			    (-1-curstep->arg1 < map->max_buckets &&
+			     map->buckets[-1-curstep->arg1])) {
+				w[0] = curstep->arg1;
+				wsize = 1;
+			} else {
+				dprintk(" bad take value %d\n", curstep->arg1);
+			}
 			break;
 
 		case CRUSH_RULE_SET_CHOOSE_TRIES: