From afcc483947e32dfd6af3aee12610d42cf3add429 Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 20 Apr 2012 15:49:44 -0500
Subject: [PATCH] --- yaml --- r: 309448 b: refs/heads/master c:
 50f7c4c967d0b5acd8e7ba6ab654dc4a7ac869ac h: refs/heads/master v: v3

---
 [refs]                    |  2 +-
 trunk/drivers/block/rbd.c | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/[refs] b/[refs]
index dc61efe4030d..3ef0550d9877 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: f8ad495a8a0277b88c59bf38319e5e944aaf5a4a
+refs/heads/master: 50f7c4c967d0b5acd8e7ba6ab654dc4a7ac869ac
diff --git a/trunk/drivers/block/rbd.c b/trunk/drivers/block/rbd.c
index ca59d4d9471e..a75fe93a25b1 100644
--- a/trunk/drivers/block/rbd.c
+++ b/trunk/drivers/block/rbd.c
@@ -487,16 +487,18 @@ static void rbd_coll_release(struct kref *kref)
  */
 static int rbd_header_from_disk(struct rbd_image_header *header,
 				 struct rbd_image_header_ondisk *ondisk,
-				 int allocated_snaps,
+				 u32 allocated_snaps,
 				 gfp_t gfp_flags)
 {
-	int i;
-	u32 snap_count;
+	u32 i, snap_count;
 
 	if (memcmp(ondisk, RBD_HEADER_TEXT, sizeof(RBD_HEADER_TEXT)))
 		return -ENXIO;
 
 	snap_count = le32_to_cpu(ondisk->snap_count);
+	if (snap_count > (UINT_MAX - sizeof(struct ceph_snap_context))
+			 / sizeof (*ondisk))
+		return -EINVAL;
 	header->snapc = kmalloc(sizeof(struct ceph_snap_context) +
 				snap_count * sizeof (*ondisk),
 				gfp_flags);
@@ -1591,7 +1593,7 @@ static int rbd_read_header(struct rbd_device *rbd_dev,
 {
 	ssize_t rc;
 	struct rbd_image_header_ondisk *dh;
-	int snap_count = 0;
+	u32 snap_count = 0;
 	u64 ver;
 	size_t len;