summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorIlya Dryomov <idryomov@gmail.com>2018-04-24 19:10:55 +0200
committerIlya Dryomov <idryomov@gmail.com>2018-04-26 17:39:08 +0200
commit9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 (patch)
tree1520b5b53003aa6bfee5e8afc255cd73061ffc2d /crypto
parent7b4c443d139f1d2b5570da475f7a9cbcef86740c (diff)
downloadlinux-stable-9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7.tar.gz
linux-stable-9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7.tar.bz2
linux-stable-9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7.zip
libceph: validate con->state at the top of try_write()
ceph_con_workfn() validates con->state before calling try_read() and then try_write(). However, try_read() temporarily releases con->mutex, notably in process_message() and ceph_con_in_msg_alloc(), opening the window for ceph_con_close() to sneak in, close the connection and release con->sock. When try_write() is called on the assumption that con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock gets passed to the networking stack: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_socket_sendmsg+0x5/0x20 Make sure con->state is valid at the top of try_write() and add an explicit BUG_ON for this, similar to try_read(). Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/23706 Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Jason Dillaman <dillaman@redhat.com>
Diffstat (limited to 'crypto')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-18 03:25:11 +0000