* [patch -next] libceph: fix NULL dereference in reset_connection()
@ 2012-06-19 10:33 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2012-06-19 10:33 UTC (permalink / raw)
To: Sage Weil, Alex Elder; +Cc: ceph-devel, kernel-janitors
We dereference "con->in_msg" on the line after it was set to NULL.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 5e9f61d..6aa671c 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -437,10 +437,10 @@ static void reset_connection(struct ceph_connection *con)
if (con->in_msg) {
BUG_ON(con->in_msg->con != con);
+ ceph_con_put(con->in_msg->con);
con->in_msg->con = NULL;
ceph_msg_put(con->in_msg);
con->in_msg = NULL;
- ceph_con_put(con->in_msg->con);
}
con->connect_seq = 0;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [patch -next] libceph: fix NULL dereference in reset_connection()
@ 2012-06-19 10:33 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2012-06-19 10:33 UTC (permalink / raw)
To: Sage Weil, Alex Elder; +Cc: ceph-devel, kernel-janitors
We dereference "con->in_msg" on the line after it was set to NULL.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 5e9f61d..6aa671c 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -437,10 +437,10 @@ static void reset_connection(struct ceph_connection *con)
if (con->in_msg) {
BUG_ON(con->in_msg->con != con);
+ ceph_con_put(con->in_msg->con);
con->in_msg->con = NULL;
ceph_msg_put(con->in_msg);
con->in_msg = NULL;
- ceph_con_put(con->in_msg->con);
}
con->connect_seq = 0;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [patch -next] libceph: fix NULL dereference in reset_connection()
2012-06-19 10:33 ` Dan Carpenter
@ 2012-06-19 13:27 ` Alex Elder
-1 siblings, 0 replies; 8+ messages in thread
From: Alex Elder @ 2012-06-19 13:27 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Sage Weil, ceph-devel, kernel-janitors
On 06/19/2012 05:33 AM, Dan Carpenter wrote:
> We dereference "con->in_msg" on the line after it was set to NULL.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Yikes.
Actually I think I prefer a different fix, which is
simply to call ceph_con_put(con) in the same spot
it was called with con->in_msg->con before. I'd
rather drop the message reference before dropping
the connection reference. I.e.:
@@ -440,7 +440,7 @@ static void reset_connection(struct ceph_connection
*con)
con->in_msg->con = NULL;
ceph_msg_put(con->in_msg);
con->in_msg = NULL;
- ceph_con_put(con->in_msg->con);
+ ceph_con_put(con);
}
con->connect_seq = 0;
(I crafted that manually--it may not work...)
I will re-post that fix and will credit you with it. Please acknowledge
it's OK with you though. Thanks a lot.
-Alex
> diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
> index 5e9f61d..6aa671c 100644
> --- a/net/ceph/messenger.c
> +++ b/net/ceph/messenger.c
> @@ -437,10 +437,10 @@ static void reset_connection(struct ceph_connection *con)
>
> if (con->in_msg) {
> BUG_ON(con->in_msg->con != con);
> + ceph_con_put(con->in_msg->con);
> con->in_msg->con = NULL;
> ceph_msg_put(con->in_msg);
> con->in_msg = NULL;
> - ceph_con_put(con->in_msg->con);
> }
>
> con->connect_seq = 0;
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch -next] libceph: fix NULL dereference in reset_connection()
@ 2012-06-19 13:27 ` Alex Elder
0 siblings, 0 replies; 8+ messages in thread
From: Alex Elder @ 2012-06-19 13:27 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Sage Weil, ceph-devel, kernel-janitors
On 06/19/2012 05:33 AM, Dan Carpenter wrote:
> We dereference "con->in_msg" on the line after it was set to NULL.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Yikes.
Actually I think I prefer a different fix, which is
simply to call ceph_con_put(con) in the same spot
it was called with con->in_msg->con before. I'd
rather drop the message reference before dropping
the connection reference. I.e.:
@@ -440,7 +440,7 @@ static void reset_connection(struct ceph_connection
*con)
con->in_msg->con = NULL;
ceph_msg_put(con->in_msg);
con->in_msg = NULL;
- ceph_con_put(con->in_msg->con);
+ ceph_con_put(con);
}
con->connect_seq = 0;
(I crafted that manually--it may not work...)
I will re-post that fix and will credit you with it. Please acknowledge
it's OK with you though. Thanks a lot.
-Alex
> diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
> index 5e9f61d..6aa671c 100644
> --- a/net/ceph/messenger.c
> +++ b/net/ceph/messenger.c
> @@ -437,10 +437,10 @@ static void reset_connection(struct ceph_connection *con)
>
> if (con->in_msg) {
> BUG_ON(con->in_msg->con != con);
> + ceph_con_put(con->in_msg->con);
> con->in_msg->con = NULL;
> ceph_msg_put(con->in_msg);
> con->in_msg = NULL;
> - ceph_con_put(con->in_msg->con);
> }
>
> con->connect_seq = 0;
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch -next] libceph: fix NULL dereference in reset_connection()
2012-06-19 13:27 ` Alex Elder
@ 2012-06-19 13:33 ` Dan Carpenter
-1 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2012-06-19 13:33 UTC (permalink / raw)
To: Alex Elder; +Cc: Sage Weil, ceph-devel, kernel-janitors
On Tue, Jun 19, 2012 at 08:27:19AM -0500, Alex Elder wrote:
> On 06/19/2012 05:33 AM, Dan Carpenter wrote:
> > We dereference "con->in_msg" on the line after it was set to NULL.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> Yikes.
>
> Actually I think I prefer a different fix, which is
> simply to call ceph_con_put(con) in the same spot
> it was called with con->in_msg->con before. I'd
> rather drop the message reference before dropping
> the connection reference. I.e.:
>
> @@ -440,7 +440,7 @@ static void reset_connection(struct ceph_connection
> *con)
> con->in_msg->con = NULL;
> ceph_msg_put(con->in_msg);
> con->in_msg = NULL;
> - ceph_con_put(con->in_msg->con);
> + ceph_con_put(con);
> }
>
> con->connect_seq = 0;
>
> (I crafted that manually--it may not work...)
>
> I will re-post that fix and will credit you with it. Please acknowledge
> it's OK with you though. Thanks a lot.
>
Yep. We already know that con->in_msg->con and con are the same
from the BUG_ON() so this works. Thanks.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch -next] libceph: fix NULL dereference in reset_connection()
@ 2012-06-19 13:33 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2012-06-19 13:33 UTC (permalink / raw)
To: Alex Elder; +Cc: Sage Weil, ceph-devel, kernel-janitors
On Tue, Jun 19, 2012 at 08:27:19AM -0500, Alex Elder wrote:
> On 06/19/2012 05:33 AM, Dan Carpenter wrote:
> > We dereference "con->in_msg" on the line after it was set to NULL.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> Yikes.
>
> Actually I think I prefer a different fix, which is
> simply to call ceph_con_put(con) in the same spot
> it was called with con->in_msg->con before. I'd
> rather drop the message reference before dropping
> the connection reference. I.e.:
>
> @@ -440,7 +440,7 @@ static void reset_connection(struct ceph_connection
> *con)
> con->in_msg->con = NULL;
> ceph_msg_put(con->in_msg);
> con->in_msg = NULL;
> - ceph_con_put(con->in_msg->con);
> + ceph_con_put(con);
> }
>
> con->connect_seq = 0;
>
> (I crafted that manually--it may not work...)
>
> I will re-post that fix and will credit you with it. Please acknowledge
> it's OK with you though. Thanks a lot.
>
Yep. We already know that con->in_msg->con and con are the same
from the BUG_ON() so this works. Thanks.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] libceph: fix NULL dereference in reset_connection()
2012-06-19 13:33 ` Dan Carpenter
@ 2012-06-19 13:57 ` Alex Elder
-1 siblings, 0 replies; 8+ messages in thread
From: Alex Elder @ 2012-06-19 13:57 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Sage Weil, ceph-devel, kernel-janitors
I have already incorporated the following in the Ceph master
branch (which is used for the -next build). We will also send
this to Linus soon.
-Alex
====
We dereference "con->in_msg" on the line after it was set to NULL.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Alex Elder <elder@inktank.com>
---
net/ceph/messenger.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 5e9f61d..23073cf 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -440,7 +440,7 @@ static void reset_connection(struct ceph_connection
*con)
con->in_msg->con = NULL;
ceph_msg_put(con->in_msg);
con->in_msg = NULL;
- ceph_con_put(con->in_msg->con);
+ ceph_con_put(con);
}
con->connect_seq = 0;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] libceph: fix NULL dereference in reset_connection()
@ 2012-06-19 13:57 ` Alex Elder
0 siblings, 0 replies; 8+ messages in thread
From: Alex Elder @ 2012-06-19 13:57 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Sage Weil, ceph-devel, kernel-janitors
I have already incorporated the following in the Ceph master
branch (which is used for the -next build). We will also send
this to Linus soon.
-Alex
=========
We dereference "con->in_msg" on the line after it was set to NULL.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Alex Elder <elder@inktank.com>
---
net/ceph/messenger.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 5e9f61d..23073cf 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -440,7 +440,7 @@ static void reset_connection(struct ceph_connection
*con)
con->in_msg->con = NULL;
ceph_msg_put(con->in_msg);
con->in_msg = NULL;
- ceph_con_put(con->in_msg->con);
+ ceph_con_put(con);
}
con->connect_seq = 0;
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-06-19 13:57 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-06-19 10:33 [patch -next] libceph: fix NULL dereference in reset_connection() Dan Carpenter
2012-06-19 10:33 ` Dan Carpenter
2012-06-19 13:27 ` Alex Elder
2012-06-19 13:27 ` Alex Elder
2012-06-19 13:33 ` Dan Carpenter
2012-06-19 13:33 ` Dan Carpenter
2012-06-19 13:57 ` [PATCH] " Alex Elder
2012-06-19 13:57 ` Alex Elder
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.