| From c338c07c51e3106711fad5eb599e375eadb6855d Mon Sep 17 00:00:00 2001 |
| From: Nathaniel Yazdani <n1ght.4nd.d4y@gmail.com> |
| Date: Sun, 4 Aug 2013 21:04:30 -0700 |
| Subject: ceph: fix null pointer dereference |
| |
| From: Nathaniel Yazdani <n1ght.4nd.d4y@gmail.com> |
| |
| commit c338c07c51e3106711fad5eb599e375eadb6855d upstream. |
| |
| When register_session() is given an out-of-range argument for mds, |
| ceph_mdsmap_get_addr() will return a null pointer, which would be given to |
| ceph_con_open() & be dereferenced, causing a kernel oops. This fixes bug #4685 |
| in the Ceph bug tracker <http://tracker.ceph.com/issues/4685>. |
| |
| Signed-off-by: Nathaniel Yazdani <n1ght.4nd.d4y@gmail.com> |
| Reviewed-by: Sage Weil <sage@inktank.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ceph/mds_client.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/fs/ceph/mds_client.c |
| +++ b/fs/ceph/mds_client.c |
| @@ -414,6 +414,9 @@ static struct ceph_mds_session *register |
| { |
| struct ceph_mds_session *s; |
| |
| + if (mds >= mdsc->mdsmap->m_max_mds) |
| + return ERR_PTR(-EINVAL); |
| + |
| s = kzalloc(sizeof(*s), GFP_NOFS); |
| if (!s) |
| return ERR_PTR(-ENOMEM); |
