| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Oct 2019 17:00:59 +0800
From: Yanhu Cao <gmayyyha@...il.com>
To: jlayton@...nel.org
Cc: sage@...hat.com, idryomov@...il.com, ceph-devel@...r.kernel.org,
linux-kernel@...r.kernel.org, Yanhu Cao <gmayyyha@...il.com>
Subject: [PATCH] function dispatch should return if mds session does not exist
we shouldn't call ceph_msg_put, otherwise libceph will pass
invalid pointer to mm.
kernel panic - not syncing: fatal exception
[5452201.213885] ------------[ cut here ]------------
[5452201.213889] kernel BUG at mm/slub.c:3901!
[5452201.213938] invalid opcode: 0000 [#1] SMP PTI
[5452201.213971] CPU: 35 PID: 3037447 Comm: kworker/35:1 Kdump: loaded Not tainted 4.19.15 #1
[5452201.214020] Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 01/22/2018
[5452201.214088] Workqueue: ceph-msgr ceph_con_workfn [libceph]
[5452201.214129] RIP: 0010:kfree+0x15b/0x170
[5452201.214156] Code: 8b 02 f6 c4 80 75 08 49 8b 42 08 a8 01 74 1b 49 8b 02 31 f6 f6 c4 80 74 05 41 0f b6 72 51 5b 5d 41 5c 4c 89 d7 e9 95 03 f9 ff <0f> 0b 48 83 e8 01 e9 01 ff ff ff 49 83 ea 01 e9 e9 fe ff ff 90 0f
[5452201.214262] RSP: 0018:ffffb8c3a0607cb0 EFLAGS: 00010246
[5452201.214296] RAX: ffffeee840000008 RBX: ffff9130c0000000 RCX: 0000000080200016
[5452201.214339] RDX: 00006f0ec0000000 RSI: 0000000000000000 RDI: ffff9130c0000000
[5452201.214383] RBP: ffff91107f823970 R08: 0000000000000001 R09: 0000000000000000
[5452201.214426] R10: ffffeee840000000 R11: 0000000000000001 R12: ffffffffc076c45d
[5452201.214469] R13: ffff91107f823970 R14: ffff91107f8239e0 R15: ffff91107f823900
[5452201.214513] FS: 0000000000000000(0000) GS:ffff9110bfbc0000(0000) knlGS:0000000000000000
[5452201.214562] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[5452201.214598] CR2: 000055993ab29620 CR3: 0000003a1e00a003 CR4: 00000000003606e0
[5452201.214641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[5452201.214685] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[5452201.214728] Call Trace:
[5452201.214759] ceph_msg_release+0x15d/0x190 [libceph]
[5452201.214811] dispatch+0x66/0xa50 [ceph]
[5452201.214846] try_read+0x7f3/0x11d0 [libceph]
[5452201.214878] ? dequeue_entity+0x37e/0x7e0
[5452201.214907] ? pick_next_task_fair+0x291/0x610
[5452201.214937] ? dequeue_task_fair+0x5d/0x700
[5452201.214966] ? __switch_to+0x8c/0x470
[5452201.214999] ceph_con_workfn+0xa2/0x5b0 [libceph]
[5452201.215033] process_one_work+0x16b/0x370
[5452201.215062] worker_thread+0x49/0x3f0
[5452201.215089] kthread+0xf5/0x130
[5452201.215112] ? max_active_store+0x80/0x80
[5452201.215139] ? kthread_bind+0x10/0x10
[5452201.215167] ret_from_fork+0x1f/0x30
Link: https://tracker.ceph.com/issues/42288
Signed-off-by: Yanhu Cao <gmayyyha@...il.com>
---
fs/ceph/mds_client.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index a8a8f84f3bbf..066358fea347 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -4635,7 +4635,7 @@ static void dispatch(struct ceph_connection *con, struct ceph_msg *msg)
mutex_lock(&mdsc->mutex);
if (__verify_registered_session(mdsc, s) < 0) {
mutex_unlock(&mdsc->mutex);
- goto out;
+ return;
}
mutex_unlock(&mdsc->mutex);
@@ -4672,7 +4672,6 @@ static void dispatch(struct ceph_connection *con, struct ceph_msg *msg)
pr_err("received unknown message type %d %s\n", type,
ceph_msg_type_name(type));
}
-out:
ceph_msg_put(msg);
}
--
2.21.0 (Apple Git-122)
Powered by blists - more mailing lists