From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tuo Li <islituo@gmail.com>, TOTE Robot <oslab@tsinghua.edu.cn>,
Jeff Layton <jlayton@kernel.org>,
Ilya Dryomov <idryomov@gmail.com>,
Sasha Levin <sashal@kernel.org>,
ceph-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 07/11] ceph: fix possible null-pointer dereference in ceph_mdsmap_decode()
Date: Mon, 30 Aug 2021 07:59:58 -0400 [thread overview]
Message-ID: <20210830120002.1017700-7-sashal@kernel.org> (raw)
In-Reply-To: <20210830120002.1017700-1-sashal@kernel.org>
From: Tuo Li <islituo@gmail.com>
[ Upstream commit a9e6ffbc5b7324b6639ee89028908b1e91ceed51 ]
kcalloc() is called to allocate memory for m->m_info, and if it fails,
ceph_mdsmap_destroy() behind the label out_err will be called:
ceph_mdsmap_destroy(m);
In ceph_mdsmap_destroy(), m->m_info is dereferenced through:
kfree(m->m_info[i].export_targets);
To fix this possible null-pointer dereference, check m->m_info before the
for loop to free m->m_info[i].export_targets.
[ jlayton: fix up whitespace damage
only kfree(m->m_info) if it's non-NULL ]
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/mdsmap.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/ceph/mdsmap.c b/fs/ceph/mdsmap.c
index 1096d1d3a84c..47f2903bacb9 100644
--- a/fs/ceph/mdsmap.c
+++ b/fs/ceph/mdsmap.c
@@ -393,9 +393,11 @@ void ceph_mdsmap_destroy(struct ceph_mdsmap *m)
{
int i;
- for (i = 0; i < m->possible_max_rank; i++)
- kfree(m->m_info[i].export_targets);
- kfree(m->m_info);
+ if (m->m_info) {
+ for (i = 0; i < m->possible_max_rank; i++)
+ kfree(m->m_info[i].export_targets);
+ kfree(m->m_info);
+ }
kfree(m->m_data_pg_pools);
kfree(m);
}
--
2.30.2
next prev parent reply other threads:[~2021-08-30 12:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-30 11:59 [PATCH AUTOSEL 5.10 01/11] gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats Sasha Levin
2021-08-30 11:59 ` [PATCH AUTOSEL 5.10 02/11] reset: reset-zynqmp: Fixed the argument data type Sasha Levin
2021-08-30 11:59 ` Sasha Levin
2021-08-30 11:59 ` [PATCH AUTOSEL 5.10 03/11] qed: Fix the VF msix vectors flow Sasha Levin
2021-08-30 11:59 ` [PATCH AUTOSEL 5.10 04/11] net: macb: Add a NULL check on desc_ptp Sasha Levin
2021-08-30 11:59 ` [PATCH AUTOSEL 5.10 05/11] qede: Fix memset corruption Sasha Levin
2021-08-30 11:59 ` [PATCH AUTOSEL 5.10 06/11] perf/x86/intel/pt: Fix mask of num_address_ranges Sasha Levin
2021-08-30 11:59 ` Sasha Levin [this message]
2021-08-30 11:59 ` [PATCH AUTOSEL 5.10 08/11] perf/x86/amd/ibs: Work around erratum #1197 Sasha Levin
2021-08-30 12:00 ` [PATCH AUTOSEL 5.10 09/11] perf/x86/amd/power: Assign pmu.module Sasha Levin
2021-08-30 12:00 ` [PATCH AUTOSEL 5.10 10/11] net: fix NULL pointer reference in cipso_v4_doi_free Sasha Levin
2021-08-30 12:00 ` [PATCH AUTOSEL 5.10 11/11] cryptoloop: add a deprecation warning Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210830120002.1017700-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=islituo@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oslab@tsinghua.edu.cn \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.