From: Sage Weil Date: Wed, 28 Oct 2015 00:55:26 +0000 (-0400) Subject: crush/mapper: ensure bucket id is valid before indexing buckets array X-Git-Tag: v0.94.6~62^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=81d8aa14f3f2b7bf4bdd0b4e53e3a653a600ef38;p=ceph.git crush/mapper: ensure bucket id is valid before indexing buckets array We were indexing the buckets array without verifying the index was within the [0,max_buckets) range. This could happen because a multistep rule does not have enough buckets and has CRUSH_ITEM_NONE for an intermediate result, which would feed in CRUSH_ITEM_NONE and make us crash. Fixes: #13477 Signed-off-by: Sage Weil (cherry picked from commit 976a24a326da8931e689ee22fce35feab5b67b76) --- diff --git a/src/crush/mapper.c b/src/crush/mapper.c index 916790d74672..3faf6f580403 100644 --- a/src/crush/mapper.c +++ b/src/crush/mapper.c @@ -894,6 +894,7 @@ int crush_do_rule(const struct crush_map *map, osize = 0; for (i = 0; i < wsize; i++) { + int bno; /* * see CRUSH_N, CRUSH_N_MINUS macros. * basically, numrep <= 0 means relative to @@ -906,6 +907,13 @@ int crush_do_rule(const struct crush_map *map, continue; } j = 0; + /* make sure bucket id is valid */ + bno = -1 - w[i]; + if (bno < 0 || bno >= map->max_buckets) { + // w[i] is probably CRUSH_ITEM_NONE + dprintk(" bad w[i] %d\n", w[i]); + continue; + } if (firstn) { int recurse_tries; if (choose_leaf_tries) @@ -917,7 +925,7 @@ int crush_do_rule(const struct crush_map *map, recurse_tries = choose_tries; osize += crush_choose_firstn( map, - map->buckets[-1-w[i]], + map->buckets[bno], weight, weight_max, x, numrep, curstep->arg2, @@ -936,7 +944,7 @@ int crush_do_rule(const struct crush_map *map, numrep : (result_max-osize)); crush_choose_indep( map, - map->buckets[-1-w[i]], + map->buckets[bno], weight, weight_max, x, out_size, numrep, curstep->arg2,