Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client

Pull Ceph fixes from Sage Weil: "The main thing here is a set of three patches that fix a buffer overrun for large authentication tickets (sigh). There is also a trivial warning fix and an error path fix that are both regressions" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: libceph: do not hard code max auth ticket len libceph: add process_one_ticket() helper libceph: gracefully handle large reply messages from the mon rbd: fix error return code in rbd_dev_device_setup() rbd: avoid format-security warning inside alloc_workqueue()
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-09-11 21:03:21 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-09-11 21:03:21 -0400
commit: c73f6fdf2fc534e47b2a1ebfe00e57d585ef5b57 (patch)
tree: db143197352e03a15e5aa7161ba26609a3693535 /net
parent: 7ee2d2d67144965d9d3607369ab0ebf5bad230c0 (diff)
parent: c27a3e4d667fdcad3db7b104f75659478e0c68d8 (diff)
2 files changed, 143 insertions, 121 deletions
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index 96238ba95f2b..de6662b14e1f 100644
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -13,8 +13,6 @@
 #include "auth_x.h"
 #include "auth_x_protocol.h"
-#define TEMP_TICKET_BUF_LEN     256
 static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed);
 static int ceph_x_is_authenticated(struct ceph_auth_client *ac)
@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret,
 }
 static int ceph_x_decrypt(struct ceph_crypto_key *secret,
-                          void **p, void *end, void *obuf, size_t olen)
+                          void **p, void *end, void **obuf, size_t olen)
 {
        struct ceph_x_encrypt_header head;
        size_t head_len = sizeof(head);
@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret,
                return -EINVAL;
        dout("ceph_x_decrypt len %d\n", len);
-        ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen,
+        if (*obuf == NULL) {
-                            *p, len);
+                *obuf = kmalloc(len, GFP_NOFS);
+                if (!*obuf)
+                        return -ENOMEM;
+                olen = len;
+        }
+        ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len);
        if (ret)
                return ret;
        if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC)
@@ -129,139 +133,120 @@ static void remove_ticket_handler(struct ceph_auth_client *ac,
        kfree(th);
 }
-static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
+static int process_one_ticket(struct ceph_auth_client *ac,
-                                    struct ceph_crypto_key *secret,
+                              struct ceph_crypto_key *secret,
-                                    void *buf, void *end)
+                              void **p, void *end)
 {
        struct ceph_x_info *xi = ac->private;
-        int num;
+        int type;
-        void *p = buf;
+        u8 tkt_struct_v, blob_struct_v;
+        struct ceph_x_ticket_handler *th;
+        void *dbuf = NULL;
+        void *dp, *dend;
+        int dlen;
+        char is_enc;
+        struct timespec validity;
+        struct ceph_crypto_key old_key;
+        void *ticket_buf = NULL;
+        void *tp, *tpend;
+        struct ceph_timespec new_validity;
+        struct ceph_crypto_key new_session_key;
+        struct ceph_buffer *new_ticket_blob;
+        unsigned long new_expires, new_renew_after;
+        u64 new_secret_id;
        int ret;
-        char *dbuf;
-        char *ticket_buf;
-        u8 reply_struct_v;
-        dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);
+        ceph_decode_need(p, end, sizeof(u32) + 1, bad);
-        if (!dbuf)
-                return -ENOMEM;
-        ret = -ENOMEM;
+        type = ceph_decode_32(p);
-        ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);
+        dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
-        if (!ticket_buf)
-                goto out_dbuf;
-        ceph_decode_need(&p, end, 1 + sizeof(u32), bad);
+        tkt_struct_v = ceph_decode_8(p);
-        reply_struct_v = ceph_decode_8(&p);
+        if (tkt_struct_v != 1)
-        if (reply_struct_v != 1)
                goto bad;
-        num = ceph_decode_32(&p);
-        dout("%d tickets\n", num);
-        while (num--) {
-                int type;
-                u8 tkt_struct_v, blob_struct_v;
-                struct ceph_x_ticket_handler *th;
-                void *dp, *dend;
-                int dlen;
-                char is_enc;
-                struct timespec validity;
-                struct ceph_crypto_key old_key;
-                void *tp, *tpend;
-                struct ceph_timespec new_validity;
-                struct ceph_crypto_key new_session_key;
-                struct ceph_buffer *new_ticket_blob;
-                unsigned long new_expires, new_renew_after;
-                u64 new_secret_id;
-                ceph_decode_need(&p, end, sizeof(u32) + 1, bad);
-                type = ceph_decode_32(&p);
-                dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
-                tkt_struct_v = ceph_decode_8(&p);
-                if (tkt_struct_v != 1)
-                        goto bad;
-                th = get_ticket_handler(ac, type);
-                if (IS_ERR(th)) {
-                        ret = PTR_ERR(th);
-                        goto out;
-                }
-                /* blob for me */
+        th = get_ticket_handler(ac, type);
-                dlen = ceph_x_decrypt(secret, &p, end, dbuf,
+        if (IS_ERR(th)) {
-                                      TEMP_TICKET_BUF_LEN);
+                ret = PTR_ERR(th);
-                if (dlen <= 0) {
+                goto out;
-                        ret = dlen;
+        }
-                        goto out;
-                }
-                dout(" decrypted %d bytes\n", dlen);
-                dend = dbuf + dlen;
-                dp = dbuf;
-                tkt_struct_v = ceph_decode_8(&dp);
+        /* blob for me */
-                if (tkt_struct_v != 1)
+        dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0);
-                        goto bad;
+        if (dlen <= 0) {
+                ret = dlen;
+                goto out;
+        }
+        dout(" decrypted %d bytes\n", dlen);
+        dp = dbuf;
+        dend = dp + dlen;
-                memcpy(&old_key, &th->session_key, sizeof(old_key));
+        tkt_struct_v = ceph_decode_8(&dp);
-                ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);
+        if (tkt_struct_v != 1)
-                if (ret)
+                goto bad;
-                        goto out;
-                ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));
+        memcpy(&old_key, &th->session_key, sizeof(old_key));
-                ceph_decode_timespec(&validity, &new_validity);
+        ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);
-                new_expires = get_seconds() + validity.tv_sec;
+        if (ret)
-                new_renew_after = new_expires - (validity.tv_sec / 4);
+                goto out;
-                dout(" expires=%lu renew_after=%lu\n", new_expires,
-                     new_renew_after);
-                /* ticket blob for service */
+        ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));
-                ceph_decode_8_safe(&p, end, is_enc, bad);
+        ceph_decode_timespec(&validity, &new_validity);
-                tp = ticket_buf;
+        new_expires = get_seconds() + validity.tv_sec;
-                if (is_enc) {
+        new_renew_after = new_expires - (validity.tv_sec / 4);
-                        /* encrypted */
+        dout(" expires=%lu renew_after=%lu\n", new_expires,
-                        dout(" encrypted ticket\n");
+             new_renew_after);
-                        dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf,
-                                              TEMP_TICKET_BUF_LEN);
+        /* ticket blob for service */
-                        if (dlen < 0) {
+        ceph_decode_8_safe(p, end, is_enc, bad);
-                                ret = dlen;
+        if (is_enc) {
-                                goto out;
+                /* encrypted */
-                        }
+                dout(" encrypted ticket\n");
-                        dlen = ceph_decode_32(&tp);
+                dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0);
-                } else {
+                if (dlen < 0) {
-                        /* unencrypted */
+                        ret = dlen;
-                        ceph_decode_32_safe(&p, end, dlen, bad);
+                        goto out;
-                        ceph_decode_need(&p, end, dlen, bad);
-                        ceph_decode_copy(&p, ticket_buf, dlen);
                }
-                tpend = tp + dlen;
+                tp = ticket_buf;
-                dout(" ticket blob is %d bytes\n", dlen);
+                dlen = ceph_decode_32(&tp);
-                ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);
+        } else {
-                blob_struct_v = ceph_decode_8(&tp);
+                /* unencrypted */
-                new_secret_id = ceph_decode_64(&tp);
+                ceph_decode_32_safe(p, end, dlen, bad);
-                ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);
+                ticket_buf = kmalloc(dlen, GFP_NOFS);
-                if (ret)
+                if (!ticket_buf) {
+                        ret = -ENOMEM;
                        goto out;
+                }
-                /* all is well, update our ticket */
+                tp = ticket_buf;
-                ceph_crypto_key_destroy(&th->session_key);
+                ceph_decode_need(p, end, dlen, bad);
-                if (th->ticket_blob)
+                ceph_decode_copy(p, ticket_buf, dlen);
-                        ceph_buffer_put(th->ticket_blob);
-                th->session_key = new_session_key;
-                th->ticket_blob = new_ticket_blob;
-                th->validity = new_validity;
-                th->secret_id = new_secret_id;
-                th->expires = new_expires;
-                th->renew_after = new_renew_after;
-                dout(" got ticket service %d (%s) secret_id %lld len %d\n",
-                     type, ceph_entity_type_name(type), th->secret_id,
-                     (int)th->ticket_blob->vec.iov_len);
-                xi->have_keys |= th->service;
        }
+        tpend = tp + dlen;
+        dout(" ticket blob is %d bytes\n", dlen);
+        ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);
+        blob_struct_v = ceph_decode_8(&tp);
+        new_secret_id = ceph_decode_64(&tp);
+        ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);
+        if (ret)
+                goto out;
+        /* all is well, update our ticket */
+        ceph_crypto_key_destroy(&th->session_key);
+        if (th->ticket_blob)
+                ceph_buffer_put(th->ticket_blob);
+        th->session_key = new_session_key;
+        th->ticket_blob = new_ticket_blob;
+        th->validity = new_validity;
+        th->secret_id = new_secret_id;
+        th->expires = new_expires;
+        th->renew_after = new_renew_after;
+        dout(" got ticket service %d (%s) secret_id %lld len %d\n",
+             type, ceph_entity_type_name(type), th->secret_id,
+             (int)th->ticket_blob->vec.iov_len);
+        xi->have_keys |= th->service;
-        ret = 0;
 out:
        kfree(ticket_buf);
-out_dbuf:
        kfree(dbuf);
        return ret;
@@ -270,6 +255,34 @@ bad:
        goto out;
 }
+static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
+                                    struct ceph_crypto_key *secret,
+                                    void *buf, void *end)
+{
+        void *p = buf;
+        u8 reply_struct_v;
+        u32 num;
+        int ret;
+        ceph_decode_8_safe(&p, end, reply_struct_v, bad);
+        if (reply_struct_v != 1)
+                return -EINVAL;
+        ceph_decode_32_safe(&p, end, num, bad);
+        dout("%d tickets\n", num);
+        while (num--) {
+                ret = process_one_ticket(ac, secret, &p, end);
+                if (ret)
+                        return ret;
+        }
+        return 0;
+bad:
+        return -EINVAL;
+}
 static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
                                   struct ceph_x_ticket_handler *th,
                                   struct ceph_x_authorizer *au)
@@ -583,13 +596,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
        struct ceph_x_ticket_handler *th;
        int ret = 0;
        struct ceph_x_authorize_reply reply;
+        void *preply = &reply;
        void *p = au->reply_buf;
        void *end = p + sizeof(au->reply_buf);
        th = get_ticket_handler(ac, au->service);
        if (IS_ERR(th))
                return PTR_ERR(th);
-        ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply));
+        ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply));
        if (ret < 0)
                return ret;
        if (ret != sizeof(reply))
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 067d3af2eaf6..61fcfc304f68 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -1181,7 +1181,15 @@ static struct ceph_msg *mon_alloc_msg(struct ceph_connection *con,
        if (!m) {
                pr_info("alloc_msg unknown type %d\n", type);
                *skip = 1;
+        } else if (front_len > m->front_alloc_len) {
+                pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n",
+                           front_len, m->front_alloc_len,
+                           (unsigned int)con->peer_name.type,
+                           le64_to_cpu(con->peer_name.num));
+                ceph_msg_put(m);
+                m = ceph_msg_new(type, front_len, GFP_NOFS, false);
        }
        return m;
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-09-11 21:03:21 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-09-11 21:03:21 -0400
commit	c73f6fdf2fc534e47b2a1ebfe00e57d585ef5b57 (patch)
tree	db143197352e03a15e5aa7161ba26609a3693535 /net
parent	7ee2d2d67144965d9d3607369ab0ebf5bad230c0 (diff)
parent	c27a3e4d667fdcad3db7b104f75659478e0c68d8 (diff)

diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c index 96238ba95f2b..de6662b14e1f 100644 --- a/net/ceph/auth_x.c +++ b/net/ceph/auth_x.c
@@ -13,8 +13,6 @@
13	#include "auth_x.h"	13	#include "auth_x.h"
14	#include "auth_x_protocol.h"	14	#include "auth_x_protocol.h"
15		15
16	#define TEMP_TICKET_BUF_LEN 256
17
18	static void ceph_x_validate_tickets(struct ceph_auth_client ac, int pneed);	16	static void ceph_x_validate_tickets(struct ceph_auth_client ac, int pneed);
19		17
20	static int ceph_x_is_authenticated(struct ceph_auth_client *ac)	18	static int ceph_x_is_authenticated(struct ceph_auth_client *ac)
@@ -64,7 +62,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret,
64	}	62	}
65		63
66	static int ceph_x_decrypt(struct ceph_crypto_key *secret,	64	static int ceph_x_decrypt(struct ceph_crypto_key *secret,
67	void *p, void end, void *obuf, size_t olen)	65	void *p, void end, void **obuf, size_t olen)
68	{	66	{
69	struct ceph_x_encrypt_header head;	67	struct ceph_x_encrypt_header head;
70	size_t head_len = sizeof(head);	68	size_t head_len = sizeof(head);
@@ -75,8 +73,14 @@ static int ceph_x_decrypt(struct ceph_crypto_key *secret,
75	return -EINVAL;	73	return -EINVAL;
76		74
77	dout("ceph_x_decrypt len %d\n", len);	75	dout("ceph_x_decrypt len %d\n", len);
78	ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen,	76	if (*obuf == NULL) {
79	*p, len);	77	*obuf = kmalloc(len, GFP_NOFS);
		78	if (!*obuf)
		79	return -ENOMEM;
		80	olen = len;
		81	}
		82
		83	ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen, p, len);
80	if (ret)	84	if (ret)
81	return ret;	85	return ret;
82	if (head.struct_v != 1 \|\| le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC)	86	if (head.struct_v != 1 \|\| le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC)
@@ -129,139 +133,120 @@ static void remove_ticket_handler(struct ceph_auth_client *ac,
129	kfree(th);	133	kfree(th);
130	}	134	}
131		135
132	static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,	136	static int process_one_ticket(struct ceph_auth_client *ac,
133	struct ceph_crypto_key *secret,	137	struct ceph_crypto_key *secret,
134	void buf, void end)	138	void *p, void end)
135	{	139	{
136	struct ceph_x_info *xi = ac->private;	140	struct ceph_x_info *xi = ac->private;
137	int num;	141	int type;
138	void *p = buf;	142	u8 tkt_struct_v, blob_struct_v;
		143	struct ceph_x_ticket_handler *th;
		144	void *dbuf = NULL;
		145	void dp, dend;
		146	int dlen;
		147	char is_enc;
		148	struct timespec validity;
		149	struct ceph_crypto_key old_key;
		150	void *ticket_buf = NULL;
		151	void tp, tpend;
		152	struct ceph_timespec new_validity;
		153	struct ceph_crypto_key new_session_key;
		154	struct ceph_buffer *new_ticket_blob;
		155	unsigned long new_expires, new_renew_after;
		156	u64 new_secret_id;
139	int ret;	157	int ret;
140	char *dbuf;
141	char *ticket_buf;
142	u8 reply_struct_v;
143		158
144	dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);	159	ceph_decode_need(p, end, sizeof(u32) + 1, bad);
145	if (!dbuf)
146	return -ENOMEM;
147		160
148	ret = -ENOMEM;	161	type = ceph_decode_32(p);
149	ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);	162	dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
150	if (!ticket_buf)
151	goto out_dbuf;
152		163
153	ceph_decode_need(&p, end, 1 + sizeof(u32), bad);	164	tkt_struct_v = ceph_decode_8(p);
154	reply_struct_v = ceph_decode_8(&p);	165	if (tkt_struct_v != 1)
155	if (reply_struct_v != 1)
156	goto bad;	166	goto bad;
157	num = ceph_decode_32(&p);
158	dout("%d tickets\n", num);
159	while (num--) {
160	int type;
161	u8 tkt_struct_v, blob_struct_v;
162	struct ceph_x_ticket_handler *th;
163	void dp, dend;
164	int dlen;
165	char is_enc;
166	struct timespec validity;
167	struct ceph_crypto_key old_key;
168	void tp, tpend;
169	struct ceph_timespec new_validity;
170	struct ceph_crypto_key new_session_key;
171	struct ceph_buffer *new_ticket_blob;
172	unsigned long new_expires, new_renew_after;
173	u64 new_secret_id;
174
175	ceph_decode_need(&p, end, sizeof(u32) + 1, bad);
176
177	type = ceph_decode_32(&p);
178	dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
179
180	tkt_struct_v = ceph_decode_8(&p);
181	if (tkt_struct_v != 1)
182	goto bad;
183
184	th = get_ticket_handler(ac, type);
185	if (IS_ERR(th)) {
186	ret = PTR_ERR(th);
187	goto out;
188	}
189		167
190	/* blob for me */	168	th = get_ticket_handler(ac, type);
191	dlen = ceph_x_decrypt(secret, &p, end, dbuf,	169	if (IS_ERR(th)) {
192	TEMP_TICKET_BUF_LEN);	170	ret = PTR_ERR(th);
193	if (dlen <= 0) {	171	goto out;
194	ret = dlen;	172	}
195	goto out;
196	}
197	dout(" decrypted %d bytes\n", dlen);
198	dend = dbuf + dlen;
199	dp = dbuf;
200		173
201	tkt_struct_v = ceph_decode_8(&dp);	174	/* blob for me */
202	if (tkt_struct_v != 1)	175	dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0);
203	goto bad;	176	if (dlen <= 0) {
		177	ret = dlen;
		178	goto out;
		179	}
		180	dout(" decrypted %d bytes\n", dlen);
		181	dp = dbuf;
		182	dend = dp + dlen;
204		183
205	memcpy(&old_key, &th->session_key, sizeof(old_key));	184	tkt_struct_v = ceph_decode_8(&dp);
206	ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);	185	if (tkt_struct_v != 1)
207	if (ret)	186	goto bad;
208	goto out;
209		187
210	ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));	188	memcpy(&old_key, &th->session_key, sizeof(old_key));
211	ceph_decode_timespec(&validity, &new_validity);	189	ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);
212	new_expires = get_seconds() + validity.tv_sec;	190	if (ret)
213	new_renew_after = new_expires - (validity.tv_sec / 4);	191	goto out;
214	dout(" expires=%lu renew_after=%lu\n", new_expires,
215	new_renew_after);
216		192
217	/* ticket blob for service */	193	ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));
218	ceph_decode_8_safe(&p, end, is_enc, bad);	194	ceph_decode_timespec(&validity, &new_validity);
219	tp = ticket_buf;	195	new_expires = get_seconds() + validity.tv_sec;
220	if (is_enc) {	196	new_renew_after = new_expires - (validity.tv_sec / 4);
221	/* encrypted */	197	dout(" expires=%lu renew_after=%lu\n", new_expires,
222	dout(" encrypted ticket\n");	198	new_renew_after);
223	dlen = ceph_x_decrypt(&old_key, &p, end, ticket_buf,	199
224	TEMP_TICKET_BUF_LEN);	200	/* ticket blob for service */
225	if (dlen < 0) {	201	ceph_decode_8_safe(p, end, is_enc, bad);
226	ret = dlen;	202	if (is_enc) {
227	goto out;	203	/* encrypted */
228	}	204	dout(" encrypted ticket\n");
229	dlen = ceph_decode_32(&tp);	205	dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0);
230	} else {	206	if (dlen < 0) {
231	/* unencrypted */	207	ret = dlen;
232	ceph_decode_32_safe(&p, end, dlen, bad);	208	goto out;
233	ceph_decode_need(&p, end, dlen, bad);
234	ceph_decode_copy(&p, ticket_buf, dlen);
235	}	209	}
236	tpend = tp + dlen;	210	tp = ticket_buf;
237	dout(" ticket blob is %d bytes\n", dlen);	211	dlen = ceph_decode_32(&tp);
238	ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);	212	} else {
239	blob_struct_v = ceph_decode_8(&tp);	213	/* unencrypted */
240	new_secret_id = ceph_decode_64(&tp);	214	ceph_decode_32_safe(p, end, dlen, bad);
241	ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);	215	ticket_buf = kmalloc(dlen, GFP_NOFS);
242	if (ret)	216	if (!ticket_buf) {
		217	ret = -ENOMEM;
243	goto out;	218	goto out;
244		219	}
245	/* all is well, update our ticket */	220	tp = ticket_buf;
246	ceph_crypto_key_destroy(&th->session_key);	221	ceph_decode_need(p, end, dlen, bad);
247	if (th->ticket_blob)	222	ceph_decode_copy(p, ticket_buf, dlen);
248	ceph_buffer_put(th->ticket_blob);
249	th->session_key = new_session_key;
250	th->ticket_blob = new_ticket_blob;
251	th->validity = new_validity;
252	th->secret_id = new_secret_id;
253	th->expires = new_expires;
254	th->renew_after = new_renew_after;
255	dout(" got ticket service %d (%s) secret_id %lld len %d\n",
256	type, ceph_entity_type_name(type), th->secret_id,
257	(int)th->ticket_blob->vec.iov_len);
258	xi->have_keys \|= th->service;
259	}	223	}
		224	tpend = tp + dlen;
		225	dout(" ticket blob is %d bytes\n", dlen);
		226	ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);
		227	blob_struct_v = ceph_decode_8(&tp);
		228	new_secret_id = ceph_decode_64(&tp);
		229	ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);
		230	if (ret)
		231	goto out;
		232
		233	/* all is well, update our ticket */
		234	ceph_crypto_key_destroy(&th->session_key);
		235	if (th->ticket_blob)
		236	ceph_buffer_put(th->ticket_blob);
		237	th->session_key = new_session_key;
		238	th->ticket_blob = new_ticket_blob;
		239	th->validity = new_validity;
		240	th->secret_id = new_secret_id;
		241	th->expires = new_expires;
		242	th->renew_after = new_renew_after;
		243	dout(" got ticket service %d (%s) secret_id %lld len %d\n",
		244	type, ceph_entity_type_name(type), th->secret_id,
		245	(int)th->ticket_blob->vec.iov_len);
		246	xi->have_keys \|= th->service;
260		247
261	ret = 0;
262	out:	248	out:
263	kfree(ticket_buf);	249	kfree(ticket_buf);
264	out_dbuf:
265	kfree(dbuf);	250	kfree(dbuf);
266	return ret;	251	return ret;
267		252
@@ -270,6 +255,34 @@ bad:
270	goto out;	255	goto out;
271	}	256	}
272		257
		258	static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
		259	struct ceph_crypto_key *secret,
		260	void buf, void end)
		261	{
		262	void *p = buf;
		263	u8 reply_struct_v;
		264	u32 num;
		265	int ret;
		266
		267	ceph_decode_8_safe(&p, end, reply_struct_v, bad);
		268	if (reply_struct_v != 1)
		269	return -EINVAL;
		270
		271	ceph_decode_32_safe(&p, end, num, bad);
		272	dout("%d tickets\n", num);
		273
		274	while (num--) {
		275	ret = process_one_ticket(ac, secret, &p, end);
		276	if (ret)
		277	return ret;
		278	}
		279
		280	return 0;
		281
		282	bad:
		283	return -EINVAL;
		284	}
		285
273	static int ceph_x_build_authorizer(struct ceph_auth_client *ac,	286	static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
274	struct ceph_x_ticket_handler *th,	287	struct ceph_x_ticket_handler *th,
275	struct ceph_x_authorizer *au)	288	struct ceph_x_authorizer *au)
@@ -583,13 +596,14 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
583	struct ceph_x_ticket_handler *th;	596	struct ceph_x_ticket_handler *th;
584	int ret = 0;	597	int ret = 0;
585	struct ceph_x_authorize_reply reply;	598	struct ceph_x_authorize_reply reply;
		599	void *preply = &reply;
586	void *p = au->reply_buf;	600	void *p = au->reply_buf;
587	void *end = p + sizeof(au->reply_buf);	601	void *end = p + sizeof(au->reply_buf);
588		602
589	th = get_ticket_handler(ac, au->service);	603	th = get_ticket_handler(ac, au->service);
590	if (IS_ERR(th))	604	if (IS_ERR(th))
591	return PTR_ERR(th);	605	return PTR_ERR(th);
592	ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply));	606	ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply));
593	if (ret < 0)	607	if (ret < 0)
594	return ret;	608	return ret;
595	if (ret != sizeof(reply))	609	if (ret != sizeof(reply))


diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c index 067d3af2eaf6..61fcfc304f68 100644 --- a/net/ceph/mon_client.c +++ b/net/ceph/mon_client.c
@@ -1181,7 +1181,15 @@ static struct ceph_msg mon_alloc_msg(struct ceph_connection con,
1181	if (!m) {	1181	if (!m) {
1182	pr_info("alloc_msg unknown type %d\n", type);	1182	pr_info("alloc_msg unknown type %d\n", type);
1183	*skip = 1;	1183	*skip = 1;
		1184	} else if (front_len > m->front_alloc_len) {
		1185	pr_warning("mon_alloc_msg front %d > prealloc %d (%u#%llu)\n",
		1186	front_len, m->front_alloc_len,
		1187	(unsigned int)con->peer_name.type,
		1188	le64_to_cpu(con->peer_name.num));
		1189	ceph_msg_put(m);
		1190	m = ceph_msg_new(type, front_len, GFP_NOFS, false);
1184	}	1191	}
		1192
1185	return m;	1193	return m;
1186	}	1194	}
1187		1195