From nobody Sat Feb 7 20:39:46 2026 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA4C22DF3CC for ; Thu, 18 Dec 2025 07:56:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766044581; cv=none; b=KMwrQv4PfxB8D0O1+6TB4tiEUZRwlXMhDHVmQ+YfW/WBGMYhWkMZTEvlx51G2lpEij/q+/4F93s2pK9rjo3jUDZ+ZY68ATVAlw1EfrVeFlrW7xdJneAse/ZCq+xRPf2oYo6XP4Oky9xSZhMypCsxem8XpZ49IOZlyZS3TR1s5Ko= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766044581; c=relaxed/simple; bh=qUhv/WVO97iNaIQ1FzvXmfWz4JvCFSI9eW4uzD8Ds20=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=nRr0eZl44WiC+f3WUwziNTdRcY65Gqs/dGmxcmVc/39Ip1TJdFzod9GGUOFeEy4OfJXu7lBQfy0LTcvxld49x4ES/8jnV/EWw6E8Kbj7Oah48mAvY9T3Vg69sbHT+gsAAe7f6AE2pqIKoUWExSlobdxYn45RiKSRzT1y4j6LNkE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dtqz4OTf; arc=none smtp.client-ip=209.85.216.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dtqz4OTf" Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-34b75f7a134so290293a91.0 for ; Wed, 17 Dec 2025 23:56:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766044579; x=1766649379; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MMkuXW4b3ShoHrgyNV0wgRq15Ymd9snXpguC9jssOUE=; b=dtqz4OTfhzikNX39QKYuDK17ftqgNkcnb81CzxYrZK/XSVmk8x74agt8uOC0BNAmMw IX2Amb4I+q5mXi0iexqr3uj19AnqKEUU557+CJZ930wqDoW+/w8o6a7F9NRehu4cUgmn Q0iDQDP/YGA5llvQdONosgVD2hspVnZtTTXgoCFjosvA6T/4XmuKjWxC1R3lCzg++uIZ Qzjl/8BjHYjTWKvjEX/qwFq7htYjYKvvWMnrvYMOk6g4tzjzMefB+kE1PctO3w0haLNK /N+RGJPa5AYh6aeNl/+0UZ4MDylu58SuNOJYg9DXTNr73XZsSCEn65zjqPKz1vZ+fJIZ i3cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766044579; x=1766649379; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MMkuXW4b3ShoHrgyNV0wgRq15Ymd9snXpguC9jssOUE=; b=BgQZqIT+cCz+n2r8+Zmnm1fzd/NkUoZ9kl2qtyowOfp27iBL1M5ITX6DmBDKfAeI1e KymcwPXfe+PZPw+OJsWuIq6tOJXByJQCJJv8a8QJ9JaUSeg9vKZllP9WqxAFDBPy6XxH I9DqemJLbBWS2Hn4f4T0haTwfDY6IPGKry9HSKXcC9fTWLpm1fAnE088DUTfyu4uN3YX Lnscv3dtgXARdJI/BKVBXV9JRKy33TrI6e8hPogIJMAiyfV7r6nk2ZjjAXb6IeOWanzV q/oG1lUA7rDrIMlnE+ZWQliou7Fql2Hrq/ycfuNWyaTSoGkqnleqrHfCVmZ9E3V0m8fl jelA== X-Forwarded-Encrypted: i=1; AJvYcCUH35wHbA4KovmyZ/og8Yg/bL2JiL0B9YNtUB0is4d4X6DHi6iArsJ10xsEKvsWrd7M7NTDDJ+/G6rLlTw=@vger.kernel.org X-Gm-Message-State: AOJu0Yx28CzG9BfYTkNRofngQgoG1kb+YIxIZoodcuSMuxUgoqGRxqy3 7SsYOVeNaiCUeotUs2WvVSor+0sp9PW2G2Ri4sfJNK7K+IUi1X2pGg4vGT3gAmY5TVx4Rw== X-Gm-Gg: AY/fxX5UwjlkU1DUUnG7/K4sSPb2IogwDHbaV9AySGA7clzO06V+du1EF89xA5d9pJs XMdFelXQMeaxRj3faUDNd0sjmB5Yx91ds9+525419j8tzof7/BsgkTWh2CjmSNubOXGGNxw9u9q pDHPY3na6lTEJoML3nSAYfNWXU9nsYwvUSYeF4BhtQ309FxvcbhsCsM6VleEl1EJ96qhILYBeD0 he+lZDvDnt3sbFuYWIbx9GnvgjnMXW9OIR+S0KSRSEefVH3rntx/pIwsyRHSlyUl5laMNO4Ffc5 abr5hvZ/QT1Ai1UzHqg1ENAIju8111HvgtRAEPcraNHpDRdWU1kphhKCdxr5NV02kr4GxQI+vvI 2qilAYBwV1s+x6zL7jxL5jjU4zKvifL4QKjHU4GioXLKvVD5QGXygYFLCFf+H2zaJ/xlWyd/o7y Cr6Rl8E+bFdRPYVGDtWQ1mpxBTx8UmMrWM77iNAP2daDwQIBO8h8osdwBJ44gqrwmcPwyfhqXrB FnYL3oSZSU= X-Google-Smtp-Source: AGHT+IFRXXg2xmw/l/+q3DDAOesT1rj27CThyNJNgghkwc7rlSQV1reOiXw4zSJ44hj4CFuxeU5JDg== X-Received: by 2002:a17:90b:35c9:b0:33f:f22c:8602 with SMTP id 98e67ed59e1d1-34abd858b3cmr18258188a91.26.1766044578847; Wed, 17 Dec 2025 23:56:18 -0800 (PST) Received: from oslab.mshome.net (n058152022071.netvigator.com. [58.152.22.71]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34e70d4f7d3sm1664430a91.4.2025.12.17.23.56.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Dec 2025 23:56:18 -0800 (PST) From: Tuo Li To: idryomov@gmail.com, xiubli@redhat.com Cc: ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org, Tuo Li Subject: [PATCH] net: ceph: Fix a possible null-pointer dereference in decode_choose_args() Date: Thu, 18 Dec 2025 15:56:03 +0800 Message-ID: <20251218075603.8797-1-islituo@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In decode_choose_args(), arg_map->size is updated before memory is allocated for arg_map->args using kcalloc(). If kcalloc() fails, execution jumps to the fail label, where free_choose_arg_map() is called to release resources. However, free_choose_arg_map() unconditionally iterates over arg_map->args using arg_map->size, which can lead to a NULL pointer dereference when arg_map->args is NULL: for (i =3D 0; i < arg_map->size; i++) { struct crush_choose_arg *arg =3D &arg_map->args[i]; for (j =3D 0; j < arg->weight_set_size; j++) kfree(arg->weight_set[j].weights); kfree(arg->weight_set); kfree(arg->ids); } To prevent this potential NULL pointer dereference, move the assignment to arg_map->size to after successful allocation of arg_map->args. This ensures that when allocation fails, arg_map->size remains zero and the loop in=20 free_choose_arg_map() is not executed. Signed-off-by: Tuo Li --- net/ceph/osdmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index d245fa508e1c..f67a87b3a7c8 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c @@ -363,13 +363,13 @@ static int decode_choose_args(void **p, void *end, st= ruct crush_map *c) =20 ceph_decode_64_safe(p, end, arg_map->choose_args_index, e_inval); - arg_map->size =3D c->max_buckets; arg_map->args =3D kcalloc(arg_map->size, sizeof(*arg_map->args), GFP_NOIO); if (!arg_map->args) { ret =3D -ENOMEM; goto fail; } + arg_map->size =3D c->max_buckets; =20 ceph_decode_32_safe(p, end, num_buckets, e_inval); while (num_buckets--) { --=20 2.43.0