From 1fa8c925baeea549a824e463c89060dd60434f3f Mon Sep 17 00:00:00 2001 From: Kefu Chai Date: Wed, 26 May 2021 14:58:33 +0800 Subject: [PATCH] crush/crush: ensure alignof(crush_work_bucket) is 1 in do_rule(), we allocate the space for crush_work_bucket using char work[crush_work_size(crush, maxout)]; where crush_work_size() calculate the size like: map->working_size + result_max * 3 * sizeof(__u32); so work is allocated on stack, but the alignment of the crush_work_bucket struct is not taken into consideration, so in crush_init_workspace(), point could point to an address which is not aligned to 8 bytes, which is the alignment of crush_work_bucket by default. so is its member variables, all of them are uint32_t, and hence are also 8-bytes aligned. to ensure the compiler generate the correct assembly for accessing the member variables without assuming that the struct is 8-byte aligned, we should specify the alignment explicitly. in this change, `__attribute__ ((packed))` is specified for crush_work_bucket, so that its alignment is 1. this issue is spotted by ASan, it complains like: ../src/crush/mapper.c:881:22: runtime error: member access within misaligned address 0x7ffe051f90dc for type 'struct crush_work_bucket', which requires 8 byte alignment 0x7ffe051f90dc: note: pointer points here 1d e5 77 3d 68 55 00 00 00 00 00 00 00 00 00 00 20 93 1f 05 fe 7f 00 00 10 91 1f 05 fe 7f 00 00 ^ ../src/crush/mapper.c:882:22: runtime error: member access within misaligned address 0x7ffe051f90dc for type 'struct crush_work_bucket', which requires 8 byte alignment 0x7ffe051f90dc: note: pointer points here 1d e5 77 3d 00 00 00 00 00 00 00 00 00 00 00 00 20 93 1f 05 fe 7f 00 00 10 91 1f 05 fe 7f 00 00 ^ ../src/crush/mapper.c:883:20: runtime error: member access within misaligned address 0x7ffe051f90dc for type 'struct crush_work_bucket', which requires 8 byte alignment 0x7ffe051f90dc: note: pointer points here 1d e5 77 3d 00 00 00 00 00 00 00 00 00 00 00 00 20 93 1f 05 fe 7f 00 00 10 91 1f 05 fe 7f 00 00 ^ Fixes: https://tracker.ceph.com/issues/50978 Signed-off-by: Kefu Chai --- src/crush/crush.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/crush/crush.h b/src/crush/crush.h index 747601467cedc..91b78ad9ccfe3 100644 --- a/src/crush/crush.h +++ b/src/crush/crush.h @@ -540,7 +540,7 @@ struct crush_work_bucket { __u32 perm_x; /* @x for which *perm is defined */ __u32 perm_n; /* num elements of *perm that are permuted/defined */ __u32 *perm; /* Permutation of the bucket's items */ -}; +} __attribute__ ((packed)); struct crush_work { struct crush_work_bucket **work; /* Per-bucket working store */ -- 2.39.5