On 4/18/22 6:43 PM, Aaron Tomlin wrote:
On Mon 2022-04-18 09:44 +0800, Xiubo Li wrote:
The request will be inserted into the ci->i_unsafe_dirops before
assigning the req->r_session, so it's possible that we will hit
NULL pointer dereference bug here.
URL: https://tracker.ceph.com/issues/55327
Signed-off-by: Xiubo Li <xiubli@xxxxxxxxxx>
---
fs/ceph/caps.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 69af17df59be..c70fd747c914 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -2333,6 +2333,8 @@ static int unsafe_request_wait(struct inode *inode)
list_for_each_entry(req, &ci->i_unsafe_dirops,
r_unsafe_dir_item) {
s = req->r_session;
+ if (!s)
+ continue;
if (unlikely(s->s_mds >= max_sessions)) {
spin_unlock(&ci->i_unsafe_lock);
for (i = 0; i < max_sessions; i++) {
@@ -2353,6 +2355,8 @@ static int unsafe_request_wait(struct inode *inode)
list_for_each_entry(req, &ci->i_unsafe_iops,
r_unsafe_target_item) {
s = req->r_session;
+ if (!s)
+ continue;
if (unlikely(s->s_mds >= max_sessions)) {
spin_unlock(&ci->i_unsafe_lock);
for (i = 0; i < max_sessions; i++) {
--
2.36.0.rc1
Tested-by: Aaron Tomlin <atomlin@xxxxxxxxxx>
Hi Aaron,
Thanks very much for you testing.
BTW, did you test this by using Livepatch or something else ?
-- Xiubo
