From ec7b58923ef0e61bb2acc1a425b4e976c735786e Mon Sep 17 00:00:00 2001 From: Cory Snyder Date: Fri, 28 May 2021 15:08:49 -0400 Subject: [PATCH] mgr/DaemonServer.cc: prevent integer underflow that is triggered by large increases to pg_num/pgp_num This fixes a scenario where mgrs continually crash while attempting to apply large increases to pg_num/pgp_num. The max step size (estmax) for each incremental update to the pgp_num is calculated as a percentage of the pg_num, which permits the possibility for the max step size (estmax) to be greater than the current pgp_num when the increase is large; this causes an integer underflow when the max step size is subtracted from the pgp_num in order to calculate the next step size with std::clamp. The integer underflow causes hi < lo in args passed to std::clamp, which causes a failed assertion, SIGABRT, and ultimately crashing mgr. Fixes: https://tracker.ceph.com/issues/47738 Signed-off-by: Cory Snyder (cherry picked from commit b4316d257e928b3789b818054927c2e98bb3c0d6) --- src/mgr/DaemonServer.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc index ff548a155faa0..a39a2da8eefe8 100644 --- a/src/mgr/DaemonServer.cc +++ b/src/mgr/DaemonServer.cc @@ -2708,8 +2708,12 @@ void DaemonServer::adjust_pgs() max_misplaced / 2.0); unsigned estmax = std::max( (double)p.get_pg_num() * room, 1u); + unsigned next_min = 0; + if (p.get_pgp_num() > estmax) { + next_min = p.get_pgp_num() - estmax; + } next = std::clamp(target, - p.get_pgp_num() - estmax, + next_min, p.get_pgp_num() + estmax); dout(20) << " room " << room << " estmax " << estmax << " delta " << (target-p.get_pgp_num()) -- 2.39.5