[PATCH 1/2] ceph: check rinfo->dir_dir before dereferencing it.

[PATCH 1/2] ceph: check rinfo->dir_dir before dereferencing it.

[Yan, Zheng]

From: "Yan, Zheng" <zheng.z.yan@intel.com>

Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com>
---
 fs/ceph/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 49d4de0..6f0a35c 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1288,7 +1288,8 @@ int ceph_readdir_prepopulate(struct ceph_mds_request *req,
 	u64 r_readdir_offset = req->r_readdir_offset;
 	u32 frag = le32_to_cpu(rhead->args.readdir.frag);
 
-	if (le32_to_cpu(rinfo->dir_dir->frag) != frag) {
+	if (rinfo->dir_dir &&
+	    le32_to_cpu(rinfo->dir_dir->frag) != frag) {
 		dout("readdir_prepopulate got new frag %x -> %x\n",
 		     frag, le32_to_cpu(rinfo->dir_dir->frag));
 		frag = le32_to_cpu(rinfo->dir_dir->frag);
-- 
1.8.1.4

[PATCH 2/2] ceph: fix use-after-free bug

[Yan, Zheng]

From: "Yan, Zheng" <zheng.z.yan@intel.com>

Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com>
---
 fs/ceph/inode.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 6f0a35c..2ae1381 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -779,6 +779,7 @@ no_change:
 			rb_node = rb_next(rb_node);
 			rb_erase(&frag->node, &ci->i_fragtree);
 			kfree(frag);
+			frag = NULL;
 		}
 		if (!frag) {
 			frag = __get_or_create_frag(ci, id);
-- 
1.8.1.4

Re: [PATCH 1/2] ceph: check rinfo->dir_dir before dereferencing it.

[Sage Weil]

Hi Yan,

I squashed these two patches into the commits they fix.  master and 
testing branches are updated+rebased.

NOTE: I've been treating these branches as a patch queue and rebase as 
needed.  If anyone is using the ceph-client.git tree as a basis for 
development and is disrupted by this, let me know!

sage



On Sat, 28 Sep 2013, Yan, Zheng wrote:

> From: "Yan, Zheng" <zheng.z.yan@intel.com>
> 
> Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com>
> ---
>  fs/ceph/inode.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
> index 49d4de0..6f0a35c 100644
> --- a/fs/ceph/inode.c
> +++ b/fs/ceph/inode.c
> @@ -1288,7 +1288,8 @@ int ceph_readdir_prepopulate(struct ceph_mds_request *req,
>  	u64 r_readdir_offset = req->r_readdir_offset;
>  	u32 frag = le32_to_cpu(rhead->args.readdir.frag);
>  
> -	if (le32_to_cpu(rinfo->dir_dir->frag) != frag) {
> +	if (rinfo->dir_dir &&
> +	    le32_to_cpu(rinfo->dir_dir->frag) != frag) {
>  		dout("readdir_prepopulate got new frag %x -> %x\n",
>  		     frag, le32_to_cpu(rinfo->dir_dir->frag));
>  		frag = le32_to_cpu(rinfo->dir_dir->frag);
> -- 
> 1.8.1.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
>