Merge tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov: "A patch to avoid choking on multipage bvecs in the messenger and a small use-after-free fix" * tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client: ceph: fix use-after-free on symlink traversal libceph: fix breakage caused by multipage bvecs
author: Linus Torvalds <torvalds@linux-foundation.org> 2019-03-29 17:41:09 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2019-03-29 17:41:09 -0400
commit: 7376e39ad96583545faefa2e7798bcb6a2a212a7 (patch)
tree: 09842932712f06a21a7f1bdd83fa6fbfabc79d70
parent: c6503f12d135a616b25be99a492765fc9e9fe07e (diff)
parent: daf5cc27eed99afdea8d96e71b89ba41f5406ef6 (diff)
2 files changed, 7 insertions, 3 deletions
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index e3346628efe2..2d61ddda9bf5 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
        struct inode *inode = container_of(head, struct inode, i_rcu);
        struct ceph_inode_info *ci = ceph_inode(inode);
+        kfree(ci->i_symlink);
        kmem_cache_free(ceph_inode_cachep, ci);
 }
@@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)
                }
        }
-        kfree(ci->i_symlink);
        while ((n = rb_first(&ci->i_fragtree)) != NULL) {
                frag = rb_entry(n, struct ceph_inode_frag, node);
                rb_erase(n, &ci->i_fragtree);
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 7e71b0df1fbc..3083988ce729 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -840,6 +840,7 @@ static bool ceph_msg_data_bio_advance(struct ceph_msg_data_cursor *cursor,
                                        size_t bytes)
 {
        struct ceph_bio_iter *it = &cursor->bio_iter;
+        struct page *page = bio_iter_page(it->bio, it->iter);
        BUG_ON(bytes > cursor->resid);
        BUG_ON(bytes > bio_iter_len(it->bio, it->iter));
@@ -851,7 +852,8 @@ static bool ceph_msg_data_bio_advance(struct ceph_msg_data_cursor *cursor,
                return false;   /* no more data */
        }
-        if (!bytes || (it->iter.bi_size && it->iter.bi_bvec_done))
+        if (!bytes || (it->iter.bi_size && it->iter.bi_bvec_done &&
+                       page == bio_iter_page(it->bio, it->iter)))
                return false;   /* more bytes to process in this segment */
        if (!it->iter.bi_size) {
@@ -899,6 +901,7 @@ static bool ceph_msg_data_bvecs_advance(struct ceph_msg_data_cursor *cursor,
                                        size_t bytes)
 {
        struct bio_vec *bvecs = cursor->data->bvec_pos.bvecs;
+        struct page *page = bvec_iter_page(bvecs, cursor->bvec_iter);
        BUG_ON(bytes > cursor->resid);
        BUG_ON(bytes > bvec_iter_len(bvecs, cursor->bvec_iter));
@@ -910,7 +913,8 @@ static bool ceph_msg_data_bvecs_advance(struct ceph_msg_data_cursor *cursor,
                return false;   /* no more data */
        }
-        if (!bytes || cursor->bvec_iter.bi_bvec_done)
+        if (!bytes || (cursor->bvec_iter.bi_bvec_done &&
+                       page == bvec_iter_page(bvecs, cursor->bvec_iter)))
                return false;   /* more bytes to process in this segment */
        BUG_ON(cursor->last_piece);
author	Linus Torvalds <torvalds@linux-foundation.org>	2019-03-29 17:41:09 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2019-03-29 17:41:09 -0400
commit	7376e39ad96583545faefa2e7798bcb6a2a212a7 (patch)
tree	09842932712f06a21a7f1bdd83fa6fbfabc79d70
parent	c6503f12d135a616b25be99a492765fc9e9fe07e (diff)
parent	daf5cc27eed99afdea8d96e71b89ba41f5406ef6 (diff)