From patchwork Wed Apr 25 10:28:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Dryomov X-Patchwork-Id: 10362227 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 18EB560225 for ; Wed, 25 Apr 2018 10:29:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0842C28EC1 for ; Wed, 25 Apr 2018 10:29:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EF68728F53; Wed, 25 Apr 2018 10:29:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F15728EC1 for ; Wed, 25 Apr 2018 10:29:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751523AbeDYK3Q (ORCPT ); Wed, 25 Apr 2018 06:29:16 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:50446 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751451AbeDYK3P (ORCPT ); Wed, 25 Apr 2018 06:29:15 -0400 Received: by mail-wm0-f66.google.com with SMTP id t67so6249247wmt.0 for ; Wed, 25 Apr 2018 03:29:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=NO0FKuhBimaNREZucCx+Mui+YdaIjy/2aK0JJ8nP/Hk=; b=bffPlgafyfj/DOAgQoCk6ATOSyyxu7sD9deKJJWTy/FkPw/YiqR3kqJsW75tkqt1FW J8DXVHfHIZDZ9Z4PgQIofymZQZHRbM4UueOAl0Wxjj+vNFtvBtMCwiYf9O5zrO2gtpGZ YXBLkXSg0wNND+pSFOKbWFiv9/oDCHNTW4pXzHESiReOvyF2B97DC3uWno47fdTkEpe3 ngEfql5neRSevjh2c7Zi3qwgfof/OUpej5VhYaEmEKZdHtfq7lzrHcnM1ahsc88ciBB8 zHO3Fz2BgTpTUpHc2B1QCiGcQ3B/jdWY9V9XpOFQ74HU6//9zjE2tY4bQaXwGBzR4SBc Thig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=NO0FKuhBimaNREZucCx+Mui+YdaIjy/2aK0JJ8nP/Hk=; b=WGCjyVYcO27OgkR238AZq4yBY663TPb6+saRf7QBwCHp2qkhe/cGOwLEUHREN60xoU ng+zQS61Wr6szPTw6wOcDNK5yD/j8Z4e3xSKnwVcCL0QV5OpvPziCD97o5ifTv+1r5uW rd22nHXG90XIdR07TiqxOe+e9x9FtkwdAL8N9xbqJglP2KP/aZtPOmMg0bF0nhG+0bPa YlWksWhLDOkBNt/m9405sE7pCSQaIiXF9v6Z/0sAkxZv0IB0Bhmmb0pwA8Utpee0w7Hn Sug0is5JsZPSL1TaTM+W9YroPvBB5X8zi43O06RrL/5QJ4FF+YqHjQNn/RZokhacA+PC /DxQ== X-Gm-Message-State: ALQs6tCBBvZ1Cx/0nkwACW2U2c3KRwjAZkH8ha307kIcptd2W6MEEGSu NXDJ/WcSsUV7BMCyxW/mSh4G+any X-Google-Smtp-Source: AIpwx4+Brm5+ng0GdfXQ1PN7/Sjl+s1mLdp509+cQ5dz5NmKtPyZU2X39TDK3+xr53ay674jrURWgQ== X-Received: by 10.28.17.142 with SMTP id 136mr13979700wmr.38.1524652153772; Wed, 25 Apr 2018 03:29:13 -0700 (PDT) Received: from orange.local (ip-213-220-230-148.net.upcbroadband.cz. [213.220.230.148]) by smtp.gmail.com with ESMTPSA id b47-v6sm26304700wrg.13.2018.04.25.03.29.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Apr 2018 03:29:13 -0700 (PDT) From: Ilya Dryomov To: ceph-devel@vger.kernel.org Subject: [PATCH] libceph: validate con->state at the top of try_write() Date: Wed, 25 Apr 2018 12:28:53 +0200 Message-Id: <1524652133-7432-1-git-send-email-idryomov@gmail.com> X-Mailer: git-send-email 2.4.3 Sender: ceph-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP ceph_con_workfn() validates con->state before calling try_read() and then try_write(). However, try_read() temporarily releases con->mutex, notably in process_message() and ceph_con_in_msg_alloc(), opening the window for ceph_con_close() to sneak in, close the connection and release con->sock. When try_write() is called on the assumption that con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock gets passed to the networking stack: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_socket_sendmsg+0x5/0x20 Make sure con->state is valid at the top of try_write() and add an explicit BUG_ON for this, similar to try_read(). Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/23706 Signed-off-by: Ilya Dryomov Reviewed-by: Jason Dillaman --- net/ceph/messenger.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index fcb40c12b1f8..a7bfc07d2876 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -2569,6 +2569,10 @@ static int try_write(struct ceph_connection *con) int ret = 1; dout("try_write start %p state %lu\n", con, con->state); + if (con->state != CON_STATE_PREOPEN && + con->state != CON_STATE_NEGOTIATING && + con->state != CON_STATE_OPEN) + return 0; more: dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes); @@ -2594,6 +2598,8 @@ static int try_write(struct ceph_connection *con) } more_kvec: + BUG_ON(!con->sock); + /* kvec data queued? */ if (con->out_kvec_left) { ret = write_partial_kvec(con);