On Wed, Feb 26, 2020 at 3:59 PM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> Hello Ilya Dryomov,
>
> The patch 82dcabad750a: "libceph: revamp subs code, switch to
> SUBSCRIBE2 protocol" from Jan 19, 2016, leads to the following static
> checker warning:
>
> net/ceph/mon_client.c:495 ceph_monc_handle_map()
> error: dereferencing freed memory 'monc->monmap'
>
> net/ceph/mon_client.c
> 466 static void ceph_monc_handle_map(struct ceph_mon_client *monc,
> 467 struct ceph_msg *msg)
> 468 {
> 469 struct ceph_client *client = monc->client;
> 470 struct ceph_monmap *monmap = NULL, *old = monc->monmap;
> ^^^^^^^^^^^^^^^^^^
>
> 471 void *p, *end;
> 472
> 473 mutex_lock(&monc->mutex);
> 474
> 475 dout("handle_monmap\n");
> 476 p = msg->front.iov_base;
> 477 end = p + msg->front.iov_len;
> 478
> 479 monmap = ceph_monmap_decode(p, end);
> 480 if (IS_ERR(monmap)) {
> 481 pr_err("problem decoding monmap, %d\n",
> 482 (int)PTR_ERR(monmap));
> 483 ceph_msg_dump(msg);
> 484 goto out;
> 485 }
> 486
> 487 if (ceph_check_fsid(monc->client, &monmap->fsid) < 0) {
> 488 kfree(monmap);
> 489 goto out;
> 490 }
> 491
> 492 client->monc.monmap = monmap;
> 493 kfree(old);
> ^^^
> Frees monc->monmap.
Hi Dan,
There is no bug here, see https://lists.openwall.net/netdev/2018/11/27/81.
I'll simplify this code and CC you on a patch.
Thanks,
Ilya
