ceph: fix use-after-free for fsc->mdsc

lxbsz · gregkh · commit f831c6c95d02 · 2020-08-26T10:31:01.000+02:00
[ Upstream commit a7caa88 ] If the ceph_mdsc_init() fails, it will free the mdsc already. Reported-by: syzbot+b57f46d8d6ea51960b8c@syzkaller.appspotmail.com Signed-off-by: Xiubo Li <xiubli@redhat.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
@@ -3682,7 +3682,6 @@ int ceph_mdsc_init(struct ceph_fs_client *fsc)
 		return -ENOMEM;
 	}
 
-	fsc->mdsc = mdsc;
 	init_completion(&mdsc->safe_umount_waiters);
 	init_waitqueue_head(&mdsc->session_close_wq);
 	INIT_LIST_HEAD(&mdsc->waiting_for_map);
@@ -3723,6 +3722,8 @@ int ceph_mdsc_init(struct ceph_fs_client *fsc)
 
 	strscpy(mdsc->nodename, utsname()->nodename,
 		sizeof(mdsc->nodename));
+
+	fsc->mdsc = mdsc;
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3682,7 +3682,6 @@ int ceph_mdsc_init(struct ceph_fs_client *fsc)`
`3682`	`3682`	`return -ENOMEM;`
`3683`	`3683`	`}`
`3684`	`3684`
`3685`		`- fsc->mdsc = mdsc;`
`3686`	`3685`	`init_completion(&mdsc->safe_umount_waiters);`
`3687`	`3686`	`init_waitqueue_head(&mdsc->session_close_wq);`
`3688`	`3687`	`INIT_LIST_HEAD(&mdsc->waiting_for_map);`
`@@ -3723,6 +3722,8 @@ int ceph_mdsc_init(struct ceph_fs_client *fsc)`
`3723`	`3722`
`3724`	`3723`	`strscpy(mdsc->nodename, utsname()->nodename,`
`3725`	`3724`	`sizeof(mdsc->nodename));`
	`3725`	`+`
	`3726`	`+ fsc->mdsc = mdsc;`
`3726`	`3727`	`return 0;`
`3727`	`3728`	`}`
`3728`	`3729`