Commit 9c55ad1c authored by Ilya Dryomov's avatar Ilya Dryomov

libceph: validate con->state at the top of try_write()

ceph_con_workfn() validates con->state before calling try_read() and
then try_write().  However, try_read() temporarily releases con->mutex,
notably in process_message() and ceph_con_in_msg_alloc(), opening the
window for ceph_con_close() to sneak in, close the connection and
release con->sock.  When try_write() is called on the assumption that
con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock
gets passed to the networking stack:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
  IP: selinux_socket_sendmsg+0x5/0x20

Make sure con->state is valid at the top of try_write() and add an
explicit BUG_ON for this, similar to try_read().

Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/23706Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
Reviewed-by: default avatarJason Dillaman <dillaman@redhat.com>
parent 7b4c443d
...@@ -2569,6 +2569,11 @@ static int try_write(struct ceph_connection *con) ...@@ -2569,6 +2569,11 @@ static int try_write(struct ceph_connection *con)
int ret = 1; int ret = 1;
dout("try_write start %p state %lu\n", con, con->state); dout("try_write start %p state %lu\n", con, con->state);
if (con->state != CON_STATE_PREOPEN &&
con->state != CON_STATE_CONNECTING &&
con->state != CON_STATE_NEGOTIATING &&
con->state != CON_STATE_OPEN)
return 0;
more: more:
dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes); dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes);
...@@ -2594,6 +2599,8 @@ static int try_write(struct ceph_connection *con) ...@@ -2594,6 +2599,8 @@ static int try_write(struct ceph_connection *con)
} }
more_kvec: more_kvec:
BUG_ON(!con->sock);
/* kvec data queued? */ /* kvec data queued? */
if (con->out_kvec_left) { if (con->out_kvec_left) {
ret = write_partial_kvec(con); ret = write_partial_kvec(con);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment