Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-12-04 15:36:26 +0100
committerTakashi Iwai <tiwai@suse.de>2018-12-04 15:36:26 +0100
commitd6b8967cb551ac8c9add598baf6960dbae90a082 (patch)
treed79f60fdea406d9ba2be9c94a52148772d07bd4f
parent9c408b64faaa1048b15fb9699e21cc52f3f8f5da (diff)
parent5c17df16fb4f0f7a379426e6c125e25ce3859989 (diff)
Merge branch 'users/lhenriques/SLE15/for-next' into SLE15
Pull ceph fix from Luis Henriques
-rw-r--r--patches.fixes/libceph-fall-back-to-sendmsg-for-slab-pages.patch57
-rw-r--r--series.conf1
2 files changed, 58 insertions, 0 deletions
diff --git a/patches.fixes/libceph-fall-back-to-sendmsg-for-slab-pages.patch b/patches.fixes/libceph-fall-back-to-sendmsg-for-slab-pages.patch
new file mode 100644
index 0000000000..91f4887709
--- /dev/null
+++ b/patches.fixes/libceph-fall-back-to-sendmsg-for-slab-pages.patch
@@ -0,0 +1,57 @@
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 8 Nov 2018 15:55:37 +0100
+Subject: libceph: fall back to sendmsg for slab pages
+Git-commit: 7e241f647dc7087a0401418a187f3f5b527cc690
+Patch-mainline: v4.20-rc4
+References: bsc#1118316
+
+skb_can_coalesce() allows coalescing neighboring slab objects into
+a single frag:
+
+ return page == skb_frag_page(frag) &&
+ off == frag->page_offset + skb_frag_size(frag);
+
+ceph_tcp_sendpage() can be handed slab pages. One example of this is
+XFS: it passes down sector sized slab objects for its metadata I/O. If
+the kernel client is co-located on the OSD node, the skb may go through
+loopback and pop on the receive side with the exact same set of frags.
+When tcp_recvmsg() attempts to copy out such a frag, hardened usercopy
+complains because the size exceeds the object's allocated size:
+
+ usercopy: kernel memory exposure attempt detected from ffff9ba917f20a00 (kmalloc-512) (1024 bytes)
+
+Although skb_can_coalesce() could be taught to return false if the
+resulting frag would cross a slab object boundary, we already have
+a fallback for non-refcounted pages. Utilize it for slab pages too.
+
+Cc: stable@vger.kernel.org # 4.8+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ net/ceph/messenger.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 57fcc6b4bf6e..2f126eff275d 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -580,9 +580,15 @@ static int ceph_tcp_sendpage(struct socket *sock, struct page *page,
+ struct bio_vec bvec;
+ int ret;
+
+- /* sendpage cannot properly handle pages with page_count == 0,
+- * we need to fallback to sendmsg if that's the case */
+- if (page_count(page) >= 1)
++ /*
++ * sendpage cannot properly handle pages with page_count == 0,
++ * we need to fall back to sendmsg if that's the case.
++ *
++ * Same goes for slab pages: skb_can_coalesce() allows
++ * coalescing neighboring slab objects into a single frag which
++ * triggers one of hardened usercopy checks.
++ */
++ if (page_count(page) >= 1 && !PageSlab(page))
+ return __ceph_tcp_sendpage(sock, page, offset, size, more);
+
+ bvec.bv_page = page;
+
diff --git a/series.conf b/series.conf
index 3ba117f190..0ddd4aa56e 100644
--- a/series.conf
+++ b/series.conf
@@ -18984,6 +18984,7 @@
patches.drivers/iommu-ipmmu-vmsa-fix-crash-on-early-domain-free
patches.drivers/amd-iommu-fix-guest-virtual-apic-log-tail-address-register
patches.drivers/iommu-vt-d-use-memunmap-to-free-memremap
+ patches.fixes/libceph-fall-back-to-sendmsg-for-slab-pages.patch
patches.suse/sctp-not-allow-to-set-asoc-prsctp_enable-by-sockopt.patch
patches.suse/sctp-not-increase-stream-s-incnt-before-sending-adds.patch
patches.drivers/net-ena-fix-crash-during-failed-resume-from-hibernat.patch