From 81d8aa14f3f2b7bf4bdd0b4e53e3a653a600ef38 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Tue, 27 Oct 2015 20:55:26 -0400 Subject: [PATCH] crush/mapper: ensure bucket id is valid before indexing buckets array We were indexing the buckets array without verifying the index was within the [0,max_buckets) range. This could happen because a multistep rule does not have enough buckets and has CRUSH_ITEM_NONE for an intermediate result, which would feed in CRUSH_ITEM_NONE and make us crash. Fixes: #13477 Signed-off-by: Sage Weil (cherry picked from commit 976a24a326da8931e689ee22fce35feab5b67b76) --- src/crush/mapper.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/crush/mapper.c b/src/crush/mapper.c index 916790d74672..3faf6f580403 100644 --- a/src/crush/mapper.c +++ b/src/crush/mapper.c @@ -894,6 +894,7 @@ int crush_do_rule(const struct crush_map *map, osize = 0; for (i = 0; i < wsize; i++) { + int bno; /* * see CRUSH_N, CRUSH_N_MINUS macros. * basically, numrep <= 0 means relative to @@ -906,6 +907,13 @@ int crush_do_rule(const struct crush_map *map, continue; } j = 0; + /* make sure bucket id is valid */ + bno = -1 - w[i]; + if (bno < 0 || bno >= map->max_buckets) { + // w[i] is probably CRUSH_ITEM_NONE + dprintk(" bad w[i] %d\n", w[i]); + continue; + } if (firstn) { int recurse_tries; if (choose_leaf_tries) @@ -917,7 +925,7 @@ int crush_do_rule(const struct crush_map *map, recurse_tries = choose_tries; osize += crush_choose_firstn( map, - map->buckets[-1-w[i]], + map->buckets[bno], weight, weight_max, x, numrep, curstep->arg2, @@ -936,7 +944,7 @@ int crush_do_rule(const struct crush_map *map, numrep : (result_max-osize)); crush_choose_indep( map, - map->buckets[-1-w[i]], + map->buckets[bno], weight, weight_max, x, out_size, numrep, curstep->arg2, -- 2.47.3