Revision 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 authored by Ilya Dryomov on 24 April 2018, 17:10:55 UTC, committed by Ilya Dryomov on 26 April 2018, 15:39:08 UTC
ceph_con_workfn() validates con->state before calling try_read() and then try_write(). However, try_read() temporarily releases con->mutex, notably in process_message() and ceph_con_in_msg_alloc(), opening the window for ceph_con_close() to sneak in, close the connection and release con->sock. When try_write() is called on the assumption that con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock gets passed to the networking stack: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_socket_sendmsg+0x5/0x20 Make sure con->state is valid at the top of try_write() and add an explicit BUG_ON for this, similar to try_read(). Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/23706 Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Jason Dillaman <dillaman@redhat.com>
1 parent 7b4c443
| File | Mode | Size |
|---|---|---|
| platform | ||
| acbuffer.h | -rw-r--r-- | 8.6 KB |
| acconfig.h | -rw-r--r-- | 7.0 KB |
| acexcep.h | -rw-r--r-- | 16.2 KB |
| acnames.h | -rw-r--r-- | 2.0 KB |
| acoutput.h | -rw-r--r-- | 16.0 KB |
| acpi.h | -rw-r--r-- | 1.3 KB |
| acpi_bus.h | -rw-r--r-- | 19.1 KB |
| acpi_drivers.h | -rw-r--r-- | 4.1 KB |
| acpi_io.h | -rw-r--r-- | 713 bytes |
| acpi_lpat.h | -rw-r--r-- | 1.5 KB |
| acpi_numa.h | -rw-r--r-- | 623 bytes |
| acpiosxf.h | -rw-r--r-- | 10.7 KB |
| acpixf.h | -rw-r--r-- | 30.3 KB |
| acrestyp.h | -rw-r--r-- | 18.8 KB |
| actbl.h | -rw-r--r-- | 18.3 KB |
| actbl1.h | -rw-r--r-- | 40.3 KB |
| actbl2.h | -rw-r--r-- | 44.9 KB |
| actbl3.h | -rw-r--r-- | 20.0 KB |
| actypes.h | -rw-r--r-- | 40.6 KB |
| acuuid.h | -rw-r--r-- | 2.4 KB |
| apei.h | -rw-r--r-- | 1.3 KB |
| battery.h | -rw-r--r-- | 561 bytes |
| button.h | -rw-r--r-- | 621 bytes |
| cppc_acpi.h | -rw-r--r-- | 2.9 KB |
| ghes.h | -rw-r--r-- | 2.9 KB |
| hed.h | -rw-r--r-- | 371 bytes |
| nfit.h | -rw-r--r-- | 351 bytes |
| pcc.h | -rw-r--r-- | 816 bytes |
| pdc_intel.h | -rw-r--r-- | 1.0 KB |
| processor.h | -rw-r--r-- | 11.0 KB |
| reboot.h | -rw-r--r-- | 201 bytes |
| video.h | -rw-r--r-- | 2.8 KB |
Computing file changes ...
