Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v4.19-rc2 2018-08-02T19:33:25Z 2018-08-02T19:33:25Z Ilya Dryomov idryomov@gmail.com 2018-07-27T17:25:32Z urn:sha1:cc255c76c70f7a87d97939621eae04b600d9f4a1 Derive the signature from the entire buffer (both AES cipher blocks) instead of using just the first half of the first block, leaving out data_crc entirely. This addresses CVE-2018-1129. Link: http://tracker.ceph.com/issues/24837 Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com> 2018-08-02T19:33:24Z Ilya Dryomov idryomov@gmail.com 2018-07-27T17:18:34Z urn:sha1:6daca13d2e72bedaaacfc08f873114c9307d5aea When a client authenticates with a service, an authorizer is sent with a nonce to the service (ceph_x_authorize_[ab]) and the service responds with a mutation of that nonce (ceph_x_authorize_reply). This lets the client verify the service is who it says it is but it doesn't protect against a replay: someone can trivially capture the exchange and reuse the same authorizer to authenticate themselves. Allow the service to reject an initial authorizer with a random challenge (ceph_x_authorize_challenge). The client then has to respond with an updated authorizer proving they are able to decrypt the service's challenge and that the new authorizer was produced for this specific connection instance. The accepting side requires this challenge and response unconditionally if the client side advertises they have CEPHX_V2 feature bit. This addresses CVE-2018-1128. Link: http://tracker.ceph.com/issues/24836 Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com> 2018-08-02T19:33:22Z Ilya Dryomov idryomov@gmail.com 2018-07-26T13:17:46Z urn:sha1:262614c4294d33b1f19e0d18c0091d9c329b544a We already copy authorizer_reply_buf and authorizer_reply_buf_len into ceph_connection. Factoring out __prepare_write_connect() requires two more: authorizer_buf and authorizer_buf_len. Store the pointer to the handshake in con->auth rather than piling on. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Sage Weil <sage@redhat.com> 2018-08-02T19:33:20Z Ilya Dryomov idryomov@gmail.com 2018-07-23T12:11:40Z urn:sha1:f7e52d8efe8588c5d4b4c78eb33da81d89486c1a Signed-off-by: Ilya Dryomov <idryomov@gmail.com> 2018-08-02T19:33:14Z Arnd Bergmann arnd@arndb.de 2018-07-13T20:18:37Z urn:sha1:fac02ddf910814c24f5d9d969dfdab5227f6f3eb The request mtime field is used all over ceph, and is currently represented as a 'timespec' structure in Linux. This changes it to timespec64 to allow times beyond 2038, modifying all users at the same time. [ Remove now redundant ts variable in writepage_nounlock(). ] Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> 2018-08-02T19:26:12Z Arnd Bergmann arnd@arndb.de 2018-07-13T20:18:34Z urn:sha1:473bd2d780d1699d81b25f57c0ec4de633a28eb8 ceph_con_keepalive_expired() is the last user of timespec_add() and some of the last uses of ktime_get_real_ts(). Replacing this with timespec64 based interfaces lets us remove that deprecated API. I'm introducing new ceph_encode_timespec64()/ceph_decode_timespec64() here that take timespec64 structures and convert to/from ceph_timespec, which is defined to have an unsigned 32-bit tv_sec member. This extends the range of valid times to year 2106, avoiding the year 2038 overflow. The ceph file system portion still uses the old functions for inode timestamps, this will be done separately after the VFS layer is converted. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> 2018-08-02T19:26:11Z Ilya Dryomov idryomov@gmail.com 2018-06-27T14:42:51Z urn:sha1:c9ed51c9123ab5e8f79b7d53a9afd786b43d4fe6 The wire format dictates that the length of string fits into 4 bytes. Take u32 instead of size_t to reflect that. We were already truncating len in ceph_pagelist_encode_32() -- this just pushes that truncation one level up. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> 2018-08-02T19:26:11Z Ilya Dryomov idryomov@gmail.com 2018-06-25T15:26:55Z urn:sha1:6d54228fd1f293d00576ab2c3d2e4992c7cce12f The wire format dictates that payload_len fits into 4 bytes. Take u32 instead of size_t to reflect that. All callers pass a small integer, so no changes required. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> 2018-06-04T18:46:00Z Ilya Dryomov idryomov@gmail.com 2018-05-23T12:46:53Z urn:sha1:a86f009f106cba322c608785e09c8b5be8ffe8bb calc_target() isn't supposed to fail with anything but POOL_DNE, in which case we report that the pool doesn't exist and fail the request with -ENOENT. Doing this for -ENOMEM is at the very least confusing and also harmful -- as the preceding requests complete, a short-lived locator string allocation is likely to succeed after a wait. (We used to call ceph_object_locator_to_pg() for a pi lookup. In theory that could fail with -ENOENT, hence the "ret != -ENOENT" warning being removed.) Signed-off-by: Ilya Dryomov <idryomov@gmail.com> 2018-06-04T18:46:00Z Ilya Dryomov idryomov@gmail.com 2018-05-30T14:29:14Z urn:sha1:c843d13caefad9f2f182f38d6bfe492c9f00e086 The intent behind making it a per-request setting was that it would be set for writes, but not for reads. As it is, the flag is set for all fs/ceph requests except for pool perm check stat request (technically a read). ceph_osdc_abort_on_full() skips reads since the previous commit and I don't see a use case for marking individual requests. Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Acked-by: Jeff Layton <jlayton@redhat.com> Reviewed-by: "Yan, Zheng" <zyan@redhat.com>