From: Tuo Li <islituo@gmail.com>
To: jlayton@kernel.org, idryomov@gmail.com
Cc: ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
baijiaju1990@gmail.com, Tuo Li <islituo@gmail.com>,
TOTE Robot <oslab@tsinghua.edu.cn>
Subject: [PATCH] ceph: fix possible null-pointer dereference in ceph_mdsmap_decode()
Date: Thu, 5 Aug 2021 05:20:15 -0700 [thread overview]
Message-ID: <20210805122015.129824-1-islituo@gmail.com> (raw)
kcalloc() is called to allocate memory for m->m_info, and if it fails,
ceph_mdsmap_destroy() behind the label out_err will be called:
ceph_mdsmap_destroy(m);
In ceph_mdsmap_destroy(), m->m_info is dereferenced through:
kfree(m->m_info[i].export_targets);
To fix this possible null-pointer dereference, if memory allocation
for m->m_info fails, free m and return -ENOMEM.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
---
fs/ceph/mdsmap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/ceph/mdsmap.c b/fs/ceph/mdsmap.c
index abd9af7727ad..7d73e4b64b12 100644
--- a/fs/ceph/mdsmap.c
+++ b/fs/ceph/mdsmap.c
@@ -166,8 +166,10 @@ struct ceph_mdsmap *ceph_mdsmap_decode(void **p, void *end, bool msgr2)
m->possible_max_rank = max(m->m_num_active_mds, m->m_max_mds);
m->m_info = kcalloc(m->possible_max_rank, sizeof(*m->m_info), GFP_NOFS);
- if (!m->m_info)
- goto nomem;
+ if (!m->m_info) {
+ kfree(m);
+ return ERR_PTR(-ENOMEM);
+ }
/* pick out active nodes from mds_info (state > 0) */
for (i = 0; i < n; i++) {
--
2.25.1
next reply other threads:[~2021-08-05 12:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-05 12:20 Tuo Li [this message]
2021-08-05 12:29 ` [PATCH] ceph: fix possible null-pointer dereference in ceph_mdsmap_decode() Jeff Layton
2021-08-05 12:52 ` Tuo Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210805122015.129824-1-islituo@gmail.com \
--to=islituo@gmail.com \
--cc=baijiaju1990@gmail.com \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oslab@tsinghua.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.