| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Oct 2016 21:11:19 +0800
From: "Yan, Zheng" <zyan@...hat.com>
To: Nikolay Borisov <kernel@...p.com>
Cc: Ilya Dryomov <idryomov@...il.com>,
ceph-devel <ceph-devel@...r.kernel.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCHv2] ceph: Fix error handling in ceph_read_iter
> On 10 Oct 2016, at 20:56, Nikolay Borisov <kernel@...p.com> wrote:
>
> In case __ceph_do_getattr returns an error and the retry_op in
> ceph_read_iter is not READ_INLINE, then it's possible to invoke
> __free_page on a page which is NULL, this naturally leads to a crash.
> This can happen when, for example, a process waiting on a MDS reply
> receives sigterm.
>
> Fix this by explicitly checking whether the page is set or not.
>
> Signed-off-by: Nikolay Borisov <kernel@...p.com>
> Link: http://www.spinics.net/lists/ceph-users/msg31592.html
> ---
>
> Inverted the condition, so resending with correct condition
> this time.
>
> fs/ceph/file.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index 3c68e6aee2f0..7413313ae6c8 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -929,7 +929,8 @@ again:
> statret = __ceph_do_getattr(inode, page,
> CEPH_STAT_CAP_INLINE_DATA, !!page);
> if (statret < 0) {
> - __free_page(page);
> + if (page)
> + __free_page(page);
> if (statret == -ENODATA) {
> BUG_ON(retry_op != READ_INLINE);
> goto again;
> —
Reviewed-by: Yan, Zheng <zyan@...hat.com>
> 2.5.0
>
Powered by blists - more mailing lists