This is a note to let you know that I've just added the patch titled
ceph: fix off by one bugs in unsafe_request_wait()
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ceph-fix-off-by-one-bugs-in-unsafe_request_wait.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 8c1dd05613372e51a6bac73aa98dbce4e0bb94cc
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Mon Sep 6 12:43:01 2021 +0300
ceph: fix off by one bugs in unsafe_request_wait()
[ Upstream commit 708c87168b6121abc74b2a57d0c498baaf70cbea ]
The "> max" tests should be ">= max" to prevent an out of bounds access
on the next lines.
Fixes: e1a4541ec0b9 ("ceph: flush the mdlog before waiting on unsafe reqs")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Ilya Dryomov <idryomov@xxxxxxxxx>
Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
Stable-dep-of: 5bd76b8de5b7 ("ceph: fix NULL pointer dereference for req->r_session")
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 2fa6b7cc0cc4..f14d52848b91 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -2343,7 +2343,7 @@ static int unsafe_request_wait(struct inode *inode)
list_for_each_entry(req, &ci->i_unsafe_dirops,
r_unsafe_dir_item) {
s = req->r_session;
- if (unlikely(s->s_mds > max)) {
+ if (unlikely(s->s_mds >= max)) {
spin_unlock(&ci->i_unsafe_lock);
goto retry;
}
@@ -2357,7 +2357,7 @@ static int unsafe_request_wait(struct inode *inode)
list_for_each_entry(req, &ci->i_unsafe_iops,
r_unsafe_target_item) {
s = req->r_session;
- if (unlikely(s->s_mds > max)) {
+ if (unlikely(s->s_mds >= max)) {
spin_unlock(&ci->i_unsafe_lock);
goto retry;
}
