On 05/19/2015 07:39 AM, CSa wrote: > Hi, > > we are encountering a bug in the cephfs client kernel module: > > > May 18 11:02:04 allegro kernel: [1020094.145209] ------------[ cut here > ]------------ > May 18 11:02:04 allegro kernel: [1020094.149127] kernel BUG at /build/linux- > RGM_Ed/linux-3.16.7-ckt9/fs/ceph/xattr.c:287! > May 18 11:02:04 allegro kernel: [1020094.149127] invalid opcode: 0000 [#1] > SMP > [...] > May 18 11:02:04 allegro kernel: [1020094.149127] CPU: 2 PID: 1359 Comm: mv > Not tainted 3.16.0-4-amd64 #1 Debian 3.16.7-ckt9-3~deb8u1 > [...] > > (see full log at http://paste.debian.net/180292) Based on a quick look at the code, I think this must be a use-after-free. The bug occurs if ceph_vxattrs_name_size() is given a non-NULL vxattrs pointer that is neither ceph_dir_vxattrs nor ceph_file_vxattrs. There is only one caller of ceph_vxattrs_name_size(), and it is passed a value that's a result of a call to ceph_inode_vxattrs(). That function returns only three possible values: ceph_dir_vxattrs, ceph_file_vxattrs, or NULL. -Alex > > has anybody been hit by this so far? > > ciao > Christian > > -- > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
