This is a note to let you know that I've just added the patch titled
ceph: fix possible NULL pointer dereference for req->r_session
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ceph-fix-possible-null-pointer-dereference-for-req-r.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 70f0650f5769ca26a04f040dab2ae74a89d6f10b
Author: Xiubo Li <xiubli@xxxxxxxxxx>
Date: Thu Apr 14 09:07:21 2022 +0800
ceph: fix possible NULL pointer dereference for req->r_session
[ Upstream commit 7acae6183cf37c48b8da48bbbdb78820fb3913f3 ]
The request will be inserted into the ci->i_unsafe_dirops before
assigning the req->r_session, so it's possible that we will hit
NULL pointer dereference bug here.
Cc: stable@xxxxxxxxxxxxxxx
URL: https://tracker.ceph.com/issues/55327
Signed-off-by: Xiubo Li <xiubli@xxxxxxxxxx>
Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
Tested-by: Aaron Tomlin <atomlin@xxxxxxxxxx>
Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
Stable-dep-of: 5bd76b8de5b7 ("ceph: fix NULL pointer dereference for req->r_session")
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 4e2fada35808..ce6a858e765a 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -2346,6 +2346,8 @@ static int unsafe_request_wait(struct inode *inode)
list_for_each_entry(req, &ci->i_unsafe_dirops,
r_unsafe_dir_item) {
s = req->r_session;
+ if (!s)
+ continue;
if (unlikely(s->s_mds >= max_sessions)) {
spin_unlock(&ci->i_unsafe_lock);
for (i = 0; i < max_sessions; i++) {
@@ -2366,6 +2368,8 @@ static int unsafe_request_wait(struct inode *inode)
list_for_each_entry(req, &ci->i_unsafe_iops,
r_unsafe_target_item) {
s = req->r_session;
+ if (!s)
+ continue;
if (unlikely(s->s_mds >= max_sessions)) {
spin_unlock(&ci->i_unsafe_lock);
for (i = 0; i < max_sessions; i++) {
