microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

A patch to avoid choking on multipage bvecs in the messenger and 

a small use-after-free fix.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEydHwtzie9C7TfviiSn/eOAIR84sFAlyeRsgTHGlkcnlvbW92
 QGdtYWlsLmNvbQAKCRBKf944AhHzi8i6B/9wP90ZLGzdAZDIlfWKXjGB1PUrFdeN
 WCA5p68Hl7yh1RbY6cvbZcTF5Bo3DhjxjxTFjXHPXLxsARlxbCXon9R6Lo2lDgA4
 Bk/W8dcR3onU3nspifG91Him/WnImWB80pyVgZog2PTiwsZJ0rRknXXbRU9ARCpk
 8vjg19O4wHwXgtMXAN3vxjQ7v8T8wk8vDb08efPcmMPLDYMaTUL1z2JoqyRfMTbo
 OpZoXSjHXqVFfz0mJ5EN7+92eK39oDcQIDSuuqePDCI09ZmrcQd/xSvG5tBfPoXr
 1mR3ojkKRURW5RKGClbSoAt90vIuYJH5Cncmemzsr6m4FETH6XthGbJl
 =twzl
 -----END PGP SIGNATURE-----

Merge tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov:
 "A patch to avoid choking on multipage bvecs in the messenger and a
  small use-after-free fix"

* tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client:
  ceph: fix use-after-free on symlink traversal
  libceph: fix breakage caused by multipage bvecs
This commit is contained in:
Linus Torvalds 2019-03-29 14:41:09 -07:00
Родитель c6503f12d1 daf5cc27ee
Коммит 7376e39ad9
2 изменённых файлов: 7 добавлений и 3 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
fs/ceph/inode.c
Просмотреть файл

@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
struct inode *inode = container_of(head, struct inode, i_rcu); struct inode *inode = container_of(head, struct inode, i_rcu);
struct ceph_inode_info *ci = ceph_inode(inode); struct ceph_inode_info *ci = ceph_inode(inode);
kfree(ci->i_symlink);
kmem_cache_free(ceph_inode_cachep, ci); kmem_cache_free(ceph_inode_cachep, ci);
} }
@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)
} }
} }
kfree(ci->i_symlink);
while ((n = rb_first(&ci->i_fragtree)) != NULL) { while ((n = rb_first(&ci->i_fragtree)) != NULL) {
frag = rb_entry(n, struct ceph_inode_frag, node); frag = rb_entry(n, struct ceph_inode_frag, node);
rb_erase(n, &ci->i_fragtree); rb_erase(n, &ci->i_fragtree);

8
net/ceph/messenger.c
Просмотреть файл

@ -840,6 +840,7 @@ static bool ceph_msg_data_bio_advance(struct ceph_msg_data_cursor *cursor,
size_t bytes) size_t bytes)
{ {
struct ceph_bio_iter *it = &cursor->bio_iter; struct ceph_bio_iter *it = &cursor->bio_iter;
struct page *page = bio_iter_page(it->bio, it->iter);
BUG_ON(bytes > cursor->resid); BUG_ON(bytes > cursor->resid);
BUG_ON(bytes > bio_iter_len(it->bio, it->iter)); BUG_ON(bytes > bio_iter_len(it->bio, it->iter));
@ -851,7 +852,8 @@ static bool ceph_msg_data_bio_advance(struct ceph_msg_data_cursor *cursor,
return false; /* no more data */ return false; /* no more data */
} }
if (!bytes || (it->iter.bi_size && it->iter.bi_bvec_done)) if (!bytes || (it->iter.bi_size && it->iter.bi_bvec_done &&
page == bio_iter_page(it->bio, it->iter)))
return false; /* more bytes to process in this segment */ return false; /* more bytes to process in this segment */
if (!it->iter.bi_size) { if (!it->iter.bi_size) {
@ -899,6 +901,7 @@ static bool ceph_msg_data_bvecs_advance(struct ceph_msg_data_cursor *cursor,
size_t bytes) size_t bytes)
{ {
struct bio_vec *bvecs = cursor->data->bvec_pos.bvecs; struct bio_vec *bvecs = cursor->data->bvec_pos.bvecs;
struct page *page = bvec_iter_page(bvecs, cursor->bvec_iter);
BUG_ON(bytes > cursor->resid); BUG_ON(bytes > cursor->resid);
BUG_ON(bytes > bvec_iter_len(bvecs, cursor->bvec_iter)); BUG_ON(bytes > bvec_iter_len(bvecs, cursor->bvec_iter));
@ -910,7 +913,8 @@ static bool ceph_msg_data_bvecs_advance(struct ceph_msg_data_cursor *cursor,
return false; /* no more data */ return false; /* no more data */
} }
if (!bytes || cursor->bvec_iter.bi_bvec_done) if (!bytes || (cursor->bvec_iter.bi_bvec_done &&
page == bvec_iter_page(bvecs, cursor->bvec_iter)))
return false; /* more bytes to process in this segment */ return false; /* more bytes to process in this segment */
BUG_ON(cursor->last_piece); BUG_ON(cursor->last_piece);