From 30dc6381bbac213987be6fe0b0fb89868ff1f2c0 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@newdream.net>
Date: Mon, 21 Dec 2009 14:49:37 -0800
Subject: [PATCH] ceph: fix error paths for corrupt osdmap messages

Both osdmap_decode() and osdmap_apply_incremental() should never return
NULL.

Signed-off-by: Sage Weil <sage@newdream.net>
---
 fs/ceph/osd_client.c |  2 ++
 fs/ceph/osdmap.c     | 11 ++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/fs/ceph/osd_client.c b/fs/ceph/osd_client.c
index 4bfe880d53c8..b474b3ad61f0 100644
--- a/fs/ceph/osd_client.c
+++ b/fs/ceph/osd_client.c
@@ -910,6 +910,7 @@ void ceph_osdc_handle_map(struct ceph_osd_client *osdc, struct ceph_msg *msg)
 				err = PTR_ERR(newmap);
 				goto bad;
 			}
+			BUG_ON(!newmap);
 			if (newmap != osdc->osdmap) {
 				ceph_osdmap_destroy(osdc->osdmap);
 				osdc->osdmap = newmap;
@@ -946,6 +947,7 @@ void ceph_osdc_handle_map(struct ceph_osd_client *osdc, struct ceph_msg *msg)
 				err = PTR_ERR(newmap);
 				goto bad;
 			}
+			BUG_ON(!newmap);
 			oldmap = osdc->osdmap;
 			osdc->osdmap = newmap;
 			if (oldmap)
diff --git a/fs/ceph/osdmap.c b/fs/ceph/osdmap.c
index 8c8ffe5ef7d4..a9416308de6f 100644
--- a/fs/ceph/osdmap.c
+++ b/fs/ceph/osdmap.c
@@ -200,6 +200,7 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
 			size = sizeof(struct crush_bucket_straw);
 			break;
 		default:
+			err = -EINVAL;
 			goto bad;
 		}
 		BUG_ON(size == 0);
@@ -278,6 +279,7 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
 		/* len */
 		ceph_decode_32_safe(p, end, yes, bad);
 #if BITS_PER_LONG == 32
+		err = -EINVAL;
 		if (yes > ULONG_MAX / sizeof(struct crush_rule_step))
 			goto bad;
 #endif
@@ -489,11 +491,10 @@ struct ceph_osdmap *osdmap_decode(void **p, void *end)
 		ceph_decode_copy(p, &pgid, sizeof(pgid));
 		n = ceph_decode_32(p);
 		ceph_decode_need(p, end, n * sizeof(u32), bad);
+		err = -ENOMEM;
 		pg = kmalloc(sizeof(*pg) + n*sizeof(u32), GFP_NOFS);
-		if (!pg) {
-			err = -ENOMEM;
+		if (!pg)
 			goto bad;
-		}
 		pg->pgid = pgid;
 		pg->len = n;
 		for (j = 0; j < n; j++)
@@ -564,8 +565,7 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
 	if (len > 0) {
 		dout("apply_incremental full map len %d, %p to %p\n",
 		     len, *p, end);
-		newmap = osdmap_decode(p, min(*p+len, end));
-		return newmap;  /* error or not */
+		return osdmap_decode(p, min(*p+len, end));
 	}
 
 	/* new crush? */
@@ -809,6 +809,7 @@ int ceph_calc_object_layout(struct ceph_object_layout *ol,
 	struct ceph_pg_pool_info *pool;
 	unsigned ps;
 
+	BUG_ON(!osdmap);
 	if (poolid >= osdmap->num_pools)
 		return -EIO;
 
-- 
GitLab