* [bug report] libceph: revamp subs code, switch to SUBSCRIBE2 protocol
@ 2020-02-26 14:59 Dan Carpenter
2020-02-26 15:31 ` Ilya Dryomov
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2020-02-26 14:59 UTC (permalink / raw)
To: idryomov; +Cc: ceph-devel
Hello Ilya Dryomov,
The patch 82dcabad750a: "libceph: revamp subs code, switch to
SUBSCRIBE2 protocol" from Jan 19, 2016, leads to the following static
checker warning:
net/ceph/mon_client.c:495 ceph_monc_handle_map()
error: dereferencing freed memory 'monc->monmap'
net/ceph/mon_client.c
466 static void ceph_monc_handle_map(struct ceph_mon_client *monc,
467 struct ceph_msg *msg)
468 {
469 struct ceph_client *client = monc->client;
470 struct ceph_monmap *monmap = NULL, *old = monc->monmap;
^^^^^^^^^^^^^^^^^^
471 void *p, *end;
472
473 mutex_lock(&monc->mutex);
474
475 dout("handle_monmap\n");
476 p = msg->front.iov_base;
477 end = p + msg->front.iov_len;
478
479 monmap = ceph_monmap_decode(p, end);
480 if (IS_ERR(monmap)) {
481 pr_err("problem decoding monmap, %d\n",
482 (int)PTR_ERR(monmap));
483 ceph_msg_dump(msg);
484 goto out;
485 }
486
487 if (ceph_check_fsid(monc->client, &monmap->fsid) < 0) {
488 kfree(monmap);
489 goto out;
490 }
491
492 client->monc.monmap = monmap;
493 kfree(old);
^^^
Frees monc->monmap.
494
495 __ceph_monc_got_map(monc, CEPH_SUB_MONMAP, monc->monmap->epoch);
^^^^^^^^^^^^
Should this be "client->monc.monmap" or maybe just "monmap"?
496 client->have_fsid = true;
497
498 out:
499 mutex_unlock(&monc->mutex);
500 wake_up_all(&client->auth_wq);
501 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] libceph: revamp subs code, switch to SUBSCRIBE2 protocol
2020-02-26 14:59 [bug report] libceph: revamp subs code, switch to SUBSCRIBE2 protocol Dan Carpenter
@ 2020-02-26 15:31 ` Ilya Dryomov
0 siblings, 0 replies; 2+ messages in thread
From: Ilya Dryomov @ 2020-02-26 15:31 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Ceph Development
On Wed, Feb 26, 2020 at 3:59 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> Hello Ilya Dryomov,
>
> The patch 82dcabad750a: "libceph: revamp subs code, switch to
> SUBSCRIBE2 protocol" from Jan 19, 2016, leads to the following static
> checker warning:
>
> net/ceph/mon_client.c:495 ceph_monc_handle_map()
> error: dereferencing freed memory 'monc->monmap'
>
> net/ceph/mon_client.c
> 466 static void ceph_monc_handle_map(struct ceph_mon_client *monc,
> 467 struct ceph_msg *msg)
> 468 {
> 469 struct ceph_client *client = monc->client;
> 470 struct ceph_monmap *monmap = NULL, *old = monc->monmap;
> ^^^^^^^^^^^^^^^^^^
>
> 471 void *p, *end;
> 472
> 473 mutex_lock(&monc->mutex);
> 474
> 475 dout("handle_monmap\n");
> 476 p = msg->front.iov_base;
> 477 end = p + msg->front.iov_len;
> 478
> 479 monmap = ceph_monmap_decode(p, end);
> 480 if (IS_ERR(monmap)) {
> 481 pr_err("problem decoding monmap, %d\n",
> 482 (int)PTR_ERR(monmap));
> 483 ceph_msg_dump(msg);
> 484 goto out;
> 485 }
> 486
> 487 if (ceph_check_fsid(monc->client, &monmap->fsid) < 0) {
> 488 kfree(monmap);
> 489 goto out;
> 490 }
> 491
> 492 client->monc.monmap = monmap;
> 493 kfree(old);
> ^^^
> Frees monc->monmap.
Hi Dan,
There is no bug here, see https://lists.openwall.net/netdev/2018/11/27/81.
I'll simplify this code and CC you on a patch.
Thanks,
Ilya
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-26 15:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-26 14:59 [bug report] libceph: revamp subs code, switch to SUBSCRIBE2 protocol Dan Carpenter
2020-02-26 15:31 ` Ilya Dryomov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.