Bug #10448
closedwrong parameter passed to ceph_zero_pape_vector_range() in striped_read() of fs/ceph/file.c
0%
Description
Hi, all
A bug is found in striped_read() of fs/ceph/file.c.
striped_read() calls ceph_zero_pape_vector_range() at line 359.
The first argument, page_align + read + ret, passed to ceph_zero_pape_vector_range()
is wrong.
When a file has holes, this wrong parameter may cause memory corruption either in kernal
space or user space. Kernel space memory may be corrupted in the case of non direct IO;
user space memory may be corrupted in the case of direct IO. In the latter case, the application
doing direct IO may crash due to memory corruption, as we have experienced.
The correct value should be initial_align + read + ret, where intial_align = o_direct ? buf_align : io_align.
Compared with page_align, the current page offest, initial_align is the initial page offest, which
should be used to calculate the page and offset in ceph_zero_pape_vector_range().
Best Regards!
Updated by Greg Farnum over 9 years ago
- Project changed from Linux kernel client to CephFS
- Category set to 53
I don't think rbd uses anything under fs/ceph, so here's a category where Zheng and Sage are more likely to notice it.
Updated by Greg Farnum over 9 years ago
Zheng, we've got a new failing directio test at http://qa-proxy.ceph.com/teuthology/teuthology-2014-12-28_23:08:01-kcephfs-next-testing-basic-multi/682654/, could this be the cause?
Updated by Zheng Yan over 9 years ago
the directio failure is caused by the 'reading inline data' changes
Updated by Zheng Yan over 9 years ago
direct io failure is fixed by "ceph: fix reading inline data when i_size > PAGE_SIZE"