Commit c3f9b9fa authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'ceph-for-6.3-rc1' of https://github.com/ceph/ceph-client 

Pull ceph fixes from Ilya Dryomov:
 "Two small fixes from Xiubo and myself, marked for stable"

* tag 'ceph-for-6.3-rc1' of https://github.com/ceph/ceph-client:
  rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
  ceph: update the time stamps and try to drop the suid/sgid
parents 04a357b1 f7c4d9b1

drivers/block/rbd.c

+9 −11
Original line number Diff line number Diff line
@@ -5291,8 +5291,7 @@ static void rbd_dev_release(struct device *dev) 
		module_put(THIS_MODULE);

}



static struct rbd_device *__rbd_dev_create(struct rbd_client *rbdc,

					   struct rbd_spec *spec)

static struct rbd_device *__rbd_dev_create(struct rbd_spec *spec)

{

	struct rbd_device *rbd_dev;
@@ -5337,9 +5336,6 @@ static struct rbd_device *__rbd_dev_create(struct rbd_client *rbdc, 
	rbd_dev->dev.parent = &rbd_root_dev;

	device_initialize(&rbd_dev->dev);



	rbd_dev->rbd_client = rbdc;

	rbd_dev->spec = spec;



	return rbd_dev;

}
@@ -5352,12 +5348,10 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc, 
{

	struct rbd_device *rbd_dev;



	rbd_dev = __rbd_dev_create(rbdc, spec);

	rbd_dev = __rbd_dev_create(spec);

	if (!rbd_dev)

		return NULL;



	rbd_dev->opts = opts;



	/* get an id and fill in device name */

	rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0,

					 minor_to_rbd_dev_id(1 << MINORBITS),
@@ -5374,6 +5368,10 @@ static struct rbd_device *rbd_dev_create(struct rbd_client *rbdc, 
	/* we have a ref from do_rbd_add() */

	__module_get(THIS_MODULE);



	rbd_dev->rbd_client = rbdc;

	rbd_dev->spec = spec;

	rbd_dev->opts = opts;



	dout("%s rbd_dev %p dev_id %d\n", __func__, rbd_dev, rbd_dev->dev_id);

	return rbd_dev;
@@ -6735,7 +6733,7 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev, int depth) 
		goto out_err;

	}



	parent = __rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec);

	parent = __rbd_dev_create(rbd_dev->parent_spec);

	if (!parent) {

		ret = -ENOMEM;

		goto out_err;
@@ -6745,8 +6743,8 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev, int depth) 
	 * Images related by parent/child relationships always share

	 * rbd_client and spec/parent_spec, so bump their refcounts.

	 */

	__rbd_get_client(rbd_dev->rbd_client);

	rbd_spec_get(rbd_dev->parent_spec);

	parent->rbd_client = __rbd_get_client(rbd_dev->rbd_client);

	parent->spec = rbd_spec_get(rbd_dev->parent_spec);



	__set_bit(RBD_DEV_FLAG_READONLY, &parent->flags);

fs/ceph/file.c

+8 −0
Original line number Diff line number Diff line
@@ -2098,6 +2098,9 @@ static long ceph_fallocate(struct file *file, int mode, 
	loff_t endoff = 0;

	loff_t size;



	dout("%s %p %llx.%llx mode %x, offset %llu length %llu\n", __func__,

	     inode, ceph_vinop(inode), mode, offset, length);



	if (mode != (FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))

		return -EOPNOTSUPP;
@@ -2132,6 +2135,10 @@ static long ceph_fallocate(struct file *file, int mode, 
	if (ret < 0)

		goto unlock;



	ret = file_modified(file);

	if (ret)

		goto put_caps;



	filemap_invalidate_lock(inode->i_mapping);

	ceph_fscache_invalidate(inode, false);

	ceph_zero_pagecache_range(inode, offset, length);
@@ -2147,6 +2154,7 @@ static long ceph_fallocate(struct file *file, int mode, 
	}

	filemap_invalidate_unlock(inode->i_mapping);



put_caps:

	ceph_put_cap_refs(ci, got);

unlock:

	inode_unlock(inode);