Revision - 9c55ad1 - libceph: validate con->state at the top of try_write()

Revision 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 authored by Ilya Dryomov on 24 April 2018, 17:10:55 UTC, committed by Ilya Dryomov on 26 April 2018, 15:39:08 UTC

libceph: validate con->state at the top of try_write()

ceph_con_workfn() validates con->state before calling try_read() and
then try_write().  However, try_read() temporarily releases con->mutex,
notably in process_message() and ceph_con_in_msg_alloc(), opening the
window for ceph_con_close() to sneak in, close the connection and
release con->sock.  When try_write() is called on the assumption that
con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock
gets passed to the networking stack:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
  IP: selinux_socket_sendmsg+0x5/0x20

Make sure con->state is valid at the top of try_write() and add an
explicit BUG_ON for this, similar to try_read().

Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/23706
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>

1 parent 7b4c443

Files
Changes

Permalinks

wm8996.h

/*
 * linux/sound/wm8996.h -- Platform data for WM8996
 *
 * Copyright 2011 Wolfson Microelectronics. PLC.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#ifndef __LINUX_SND_WM8996_H
#define __LINUX_SND_WM8996_H

enum wm8996_inmode {
	WM8996_DIFFERRENTIAL_1 = 0,   /* IN1xP - IN1xN */
	WM8996_INVERTING = 1,         /* IN1xN */
	WM8996_NON_INVERTING = 2,     /* IN1xP */
	WM8996_DIFFERENTIAL_2 = 3,    /* IN2xP - IN2xP */
};

/**
 * ReTune Mobile configurations are specified with a label, sample
 * rate and set of values to write (the enable bits will be ignored).
 *
 * Configurations are expected to be generated using the ReTune Mobile
 * control panel in WISCE - see http://www.wolfsonmicro.com/wisce/
 */
struct wm8996_retune_mobile_config {
	const char *name;
	int rate;
	u16 regs[20];
};

#define WM8996_SET_DEFAULT 0x10000

struct wm8996_pdata {
	int irq_flags;  /** Set IRQ trigger flags; default active low */

	int ldo_ena;  /** GPIO for LDO1; -1 for none */

	int micdet_def;  /** Default MICDET_SRC/HP1FB_SRC/MICD_BIAS */

	enum wm8996_inmode inl_mode;
	enum wm8996_inmode inr_mode;

	u32 spkmute_seq;  /** Value for register 0x802 */

	int gpio_base;
	u32 gpio_default[5];

	int num_retune_mobile_cfgs;
	struct wm8996_retune_mobile_config *retune_mobile_cfgs;
};

#endif

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...