ceph: fix null pointer dereference in discard_cap_releases()

send_mds_reconnect() may call discard_cap_releases() after all release messages have been dropped by cleanup_cap_releases() Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com> Reviewed-by: Sage Weil <sage@inktank.com>
author: Yan, Zheng <zheng.z.yan@intel.com> 2014-03-23 21:56:43 -0400
committer: Sage Weil <sage@inktank.com> 2014-04-05 00:07:17 -0400
commit: 00bd8edb861eb41d274938cfc0338999d9c593a3 (patch)
tree: f924d27c0651107432a5fb6505ead522c65cc8fe /fs/ceph/mds_client.c
parent: d90deda69cb82411ba7d990e97218e0f8b2d07bb (diff)
1 files changed, 12 insertions, 9 deletions
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index f260bd8d61cd..77640ada487a 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -1462,15 +1462,18 @@ static void discard_cap_releases(struct ceph_mds_client *mdsc,
        dout("discard_cap_releases mds%d\n", session->s_mds);
-        /* zero out the in-progress message */
+        if (!list_empty(&session->s_cap_releases)) {
-        msg = list_first_entry(&session->s_cap_releases,
+                /* zero out the in-progress message */
-                               struct ceph_msg, list_head);
+                msg = list_first_entry(&session->s_cap_releases,
-        head = msg->front.iov_base;
+                                        struct ceph_msg, list_head);
-        num = le32_to_cpu(head->num);
+                head = msg->front.iov_base;
-        dout("discard_cap_releases mds%d %p %u\n", session->s_mds, msg, num);
+                num = le32_to_cpu(head->num);
-        head->num = cpu_to_le32(0);
+                dout("discard_cap_releases mds%d %p %u\n",
-        msg->front.iov_len = sizeof(*head);
+                     session->s_mds, msg, num);
-        session->s_num_cap_releases += num;
+                head->num = cpu_to_le32(0);
+                msg->front.iov_len = sizeof(*head);
+                session->s_num_cap_releases += num;
+        }
        /* requeue completed messages */
        while (!list_empty(&session->s_cap_releases_done)) {
author	Yan, Zheng <zheng.z.yan@intel.com>	2014-03-23 21:56:43 -0400
committer	Sage Weil <sage@inktank.com>	2014-04-05 00:07:17 -0400
commit	00bd8edb861eb41d274938cfc0338999d9c593a3 (patch)
tree	f924d27c0651107432a5fb6505ead522c65cc8fe /fs/ceph/mds_client.c
parent	d90deda69cb82411ba7d990e97218e0f8b2d07bb (diff)

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index f260bd8d61cd..77640ada487a 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c
@@ -1462,15 +1462,18 @@ static void discard_cap_releases(struct ceph_mds_client *mdsc,
1462		1462
1463	dout("discard_cap_releases mds%d\n", session->s_mds);	1463	dout("discard_cap_releases mds%d\n", session->s_mds);
1464		1464
1465	/* zero out the in-progress message */	1465	if (!list_empty(&session->s_cap_releases)) {
1466	msg = list_first_entry(&session->s_cap_releases,	1466	/* zero out the in-progress message */
1467	struct ceph_msg, list_head);	1467	msg = list_first_entry(&session->s_cap_releases,
1468	head = msg->front.iov_base;	1468	struct ceph_msg, list_head);
1469	num = le32_to_cpu(head->num);	1469	head = msg->front.iov_base;
1470	dout("discard_cap_releases mds%d %p %u\n", session->s_mds, msg, num);	1470	num = le32_to_cpu(head->num);
1471	head->num = cpu_to_le32(0);	1471	dout("discard_cap_releases mds%d %p %u\n",
1472	msg->front.iov_len = sizeof(*head);	1472	session->s_mds, msg, num);
1473	session->s_num_cap_releases += num;	1473	head->num = cpu_to_le32(0);
		1474	msg->front.iov_len = sizeof(*head);
		1475	session->s_num_cap_releases += num;
		1476	}
1474		1477
1475	/* requeue completed messages */	1478	/* requeue completed messages */
1476	while (!list_empty(&session->s_cap_releases_done)) {	1479	while (!list_empty(&session->s_cap_releases_done)) {