Commit 2f738d2d authored by Jeff Layton's avatar Jeff Layton Committed by Zizhi Wo
Browse files

ceph: drop private list from remove_session_caps_cb 

mainline inclusion
from mainline-v5.16-rc1
commit c35cac61
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4KH
CVE: CVE-2023-52732

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c35cac610a24f8b2e2d6f6535b7300d3bb2e5c29



--------------------------------

This function does a lot of list-shuffling with cap flushes, all to
avoid possibly freeing a slab allocation under spinlock (which is
totally ok).  Simplify the code by just detaching and freeing the cap
flushes in place.

Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
Signed-off-by: default avatarZizhi Wo <wozizhi@huawei.com>
parent 87d5a74b

fs/ceph/mds_client.c

+10 −16
Original line number Diff line number Diff line
@@ -1640,7 +1640,6 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, 
	struct ceph_fs_client *fsc = (struct ceph_fs_client *)arg;

	struct ceph_mds_client *mdsc = fsc->mdsc;

	struct ceph_inode_info *ci = ceph_inode(inode);

	LIST_HEAD(to_remove);

	bool dirty_dropped = false;

	bool invalidate = false;

	int capsnap_release = 0;
@@ -1659,16 +1658,17 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, 
				mapping_set_error(&inode->i_data, -EIO);

		}



		spin_lock(&mdsc->cap_dirty_lock);



		/* trash all of the cap flushes for this inode */

		while (!list_empty(&ci->i_cap_flush_list)) {

			cf = list_first_entry(&ci->i_cap_flush_list,

					      struct ceph_cap_flush, i_list);

			list_move(&cf->i_list, &to_remove);

		}



		spin_lock(&mdsc->cap_dirty_lock);



		list_for_each_entry(cf, &to_remove, i_list)

			list_del_init(&cf->g_list);

			list_del_init(&cf->i_list);

			if (!cf->is_capsnap)

				ceph_free_cap_flush(cf);

		}



		if (!list_empty(&ci->i_dirty_item)) {

			pr_warn_ratelimited(
@@ -1711,22 +1711,16 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, 
		}



		if (!ci->i_dirty_caps && ci->i_prealloc_cap_flush) {

			list_add(&ci->i_prealloc_cap_flush->i_list, &to_remove);

			cf = ci->i_prealloc_cap_flush;

			ci->i_prealloc_cap_flush = NULL;

			if (!cf->is_capsnap)

				ceph_free_cap_flush(cf);

		}



		if (!list_empty(&ci->i_cap_snaps))

			capsnap_release = remove_capsnaps(mdsc, inode);

	}

	spin_unlock(&ci->i_ceph_lock);

	while (!list_empty(&to_remove)) {

		struct ceph_cap_flush *cf;

		cf = list_first_entry(&to_remove,

				      struct ceph_cap_flush, i_list);

		list_del_init(&cf->i_list);

		if (!cf->is_capsnap)

			ceph_free_cap_flush(cf);

	}



	wake_up_all(&ci->i_cap_wq);

	if (invalidate)