Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
Subject: Re: [PATCHv2] ceph: Fix error handling in ceph_read_iter
From: "Yan, Zheng" <zyan@redhat.com>
In-Reply-To: <1476104199-3259-1-git-send-email-kernel@kyup.com>
Date: Mon, 10 Oct 2016 21:11:19 +0800
Cc: Ilya Dryomov <idryomov@gmail.com>,
        ceph-devel <ceph-devel@vger.kernel.org>, linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8BIT
Message-Id: <530F1E79-6653-45F5-BBC6-B1D9F9005D14@redhat.com>
References: <1476103098-2925-1-git-send-email-kernel@kyup.com>
 <1476104199-3259-1-git-send-email-kernel@kyup.com>
To: Nikolay Borisov <kernel@kyup.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1213
Lines: 40


> On 10 Oct 2016, at 20:56, Nikolay Borisov <kernel@kyup.com> wrote:
> 
> In case __ceph_do_getattr returns an error and the retry_op in
> ceph_read_iter is not READ_INLINE, then it's possible to invoke
> __free_page on a page which is NULL, this naturally leads to a crash.
> This can happen when, for example, a process waiting on a MDS reply
> receives sigterm.
> 
> Fix this by explicitly checking whether the page is set or not.
> 
> Signed-off-by: Nikolay Borisov <kernel@kyup.com>
> Link: http://www.spinics.net/lists/ceph-users/msg31592.html
> ---
> 
> Inverted the condition, so resending with correct condition
> this time. 
> 
> fs/ceph/file.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index 3c68e6aee2f0..7413313ae6c8 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -929,7 +929,8 @@ again:
> 		statret = __ceph_do_getattr(inode, page,
> 					    CEPH_STAT_CAP_INLINE_DATA, !!page);
> 		if (statret < 0) {
> -			 __free_page(page);
> +			if (page)
> +				__free_page(page);
> 			if (statret == -ENODATA) {
> 				BUG_ON(retry_op != READ_INLINE);
> 				goto again;
> — 
Reviewed-by: Yan, Zheng <zyan@redhat.com>

> 2.5.0
>