From nobody Sat Feb 7 17:55:00 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 110BA26C384 for ; Sat, 20 Dec 2025 18:11:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766254322; cv=none; b=QIhs2URrvfEm4tEF78vgDwA47T6cFwTsoG7DpoN2rXfkcscLx9bRv3izC7yd0yj9NmvviNrU99SpE66Zrt0tAAGTsL5nEMEO/9aDHaDEgsfzBilgQst6i7Dl0zGZNaRwTudaFmlQQOIXM4dJyOFWIzJwc8new70sJfhlTMbc2uA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766254322; c=relaxed/simple; bh=Ay3KGStVgzqEmjhLIfYGf6oieNagHUwSAZbApxiWH74=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VJgQlPyG1r++22PrW77eQmQzlqz5ZDndSu7e8QEJbe6QIEayiJCKj9y9RPXN4NqaRrIv5drBdNkX9gXwEqiiaAWHguOMjO7yQbAc8VQ5RoYMGVrdzIy7fMmRPHe4+JkkvoKVf4ApbCU4uNseGJKsLGniRA8qPfAMXYw9hpCQ+mY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QC6VONCK; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QC6VONCK" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a0fe77d141so30083505ad.1 for ; Sat, 20 Dec 2025 10:11:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766254319; x=1766859119; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=OCPrsavXRrgCkioku0preGR8OkAAFMEdGgsNu7tZv/0=; b=QC6VONCK00zk1WMSHcZaTG0t3ysPJac27Jv8MtAorrTe3ETdkH58Bx+rXtSWeKZkiA 25/VmCnlWjfOTea2HP5lvaMMmYzmCUnxPn2ud2fDVaOctyipJYnQ18gefCmMVc+Ol+5G K8DOGdtdbHLbpSHdrpDt5U5H4FsskJg3FP5gnn56TkM0A3vllNG5b+/iHYIo7wOB42u+ vmi1r+ePauG6iHX7Ng5YtkE2RGVLX/aYw7iRMi82g1vqsGccr881fV4Aen2i/2F/5hNR EsSYMQmuwapjrRYtK85amJZQJAgu3LhEKYHq0NcmKc7AZOuZL3yGL2xV0ht+hoerNXB0 FCWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766254319; x=1766859119; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=OCPrsavXRrgCkioku0preGR8OkAAFMEdGgsNu7tZv/0=; b=S0QYXQLfL5qiNxbwV0w1zw6k/GihS/kWG5UJUbfWXWH2mUP8qy2EDiHQDYV3vLCy7J lbFSgfdR39OTCw/4dFmHM2pTWA3TP7Cwmn23rRXEks7oY4L0CRyDrngrAbcXgRs7Xcth f9ICHI0JOAw2RwSTNWUYdz4/X3VVT7FfNCI5HErHrpcpV3Lc3KGRi8SnJ7DlyxMR4x2o /jTrjnDIdD698lHGI/txoohPxvEkLtUoNmxrsrKB/s3lyw9fbCVhiN2q+ysC3t34UGzq UWYXTtUrcpBLdHzymKx0J1w02Z6p2xsLwT6vquDvpn/NjDCC3c/otcOcnUTSwsr2Tzn9 vOiA== X-Forwarded-Encrypted: i=1; AJvYcCWXGq+N5uRRsWwaSNl6I6LejuHnWIB46fdKA9ncCTH/y0A9FqHXvb63zG9xV/2slSalAGMc3wnWcKrPATk=@vger.kernel.org X-Gm-Message-State: AOJu0YwRumQqM+dtQnA2LQxAeCubj18sKTrtBwAJb3hsqGeON2KfdJhb iu0wsGFThGRycTmjWLCldQqPOi2gpZ8S1Ic8HtFypqIj6aFc9o8AmVH2j+157b9Y X-Gm-Gg: AY/fxX5RenoMAjcr/CMUj7/sRX6jZnHaBbXtveXGNH7ivGCybIO63jIwHBPeSXDwV5y /Bdao2Olb0COgQ6joN5FPXaAQXtgRSxqe/TMuoF7QQRUfFSRUadOILlFSXMEBSjLjCYgdi5HKA/ kKFtJck0n9a0DkBF0Xwu8p3YZLn1HmDQPJmVdwmqIEX2RuYEVQJ7KfCp0zlC+KnCZpZ/+DNShgW eox/yLr2FK9NgImhUpxzRHS5H7HgWJ7JRr3hD3gBMoxWJqZ2o+Dk+wc0w1HR/jrjc91AbJVfNzC /x0+khekYoEGYtesnArTTeZbBnac1Jz8TM6W9dCKn2eJAuWsQ0IfUTjd5K2lIJiIv0OhXmTAAky sLuujjBr6W6a+Prs170CC4ps2LwlEXaRVV2YPdwLEZLEtcyiKBu2a92qxYB/7ltzBRSLN7VcWeC 3PpWEcHNA2Idb9b6JTurvmQVT2kT0+W0A8p2n2vObylu0= X-Google-Smtp-Source: AGHT+IEuKZUO1bxNs2FSDcuN04H0zaA+q7W8IXJpJUS/kqD3kBRFMFi/lh36QgFBP4ZWFQbTKjulkw== X-Received: by 2002:a17:902:c403:b0:2a1:35df:2513 with SMTP id d9443c01a7336-2a2f22317b1mr64715615ad.17.1766254319364; Sat, 20 Dec 2025 10:11:59 -0800 (PST) Received: from localhost.localdomain ([223.72.88.58]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d5d3e1sm54325085ad.76.2025.12.20.10.11.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Dec 2025 10:11:59 -0800 (PST) From: Tuo Li To: idryomov@gmail.com, xiubli@redhat.com Cc: ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org, Tuo Li Subject: [PATCH v2] net: ceph: make free_choose_arg_map() resilient to partial allocation Date: Sun, 21 Dec 2025 02:11:49 +0800 Message-ID: <20251220181149.46699-1-islituo@gmail.com> X-Mailer: git-send-email 2.48.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. Signed-off-by: Tuo Li Reviewed-by: Viacheslav Dubeyko --- v2: * Add pointer checks before iterating in free_choose_arg_map(), instead of moving the arg_map->size assignment in decode_choose_args(). Thanks to Viacheslav Dubeyko for pointing out the issue with the previous patch, and to Ilya Dryomov for the helpful advice. --- net/ceph/osdmap.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index 34b3ab59602f..08157945af43 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c @@ -241,22 +241,26 @@ static struct crush_choose_arg_map *alloc_choose_arg_= map(void) =20 static void free_choose_arg_map(struct crush_choose_arg_map *arg_map) { - if (arg_map) { - int i, j; + int i, j; + + if (!arg_map) + return; =20 - WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); + WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); =20 + if (arg_map->args) { for (i =3D 0; i < arg_map->size; i++) { struct crush_choose_arg *arg =3D &arg_map->args[i]; - - for (j =3D 0; j < arg->weight_set_size; j++) - kfree(arg->weight_set[j].weights); - kfree(arg->weight_set); + if (arg->weight_set) { + for (j =3D 0; j < arg->weight_set_size; j++) + kfree(arg->weight_set[j].weights); + kfree(arg->weight_set); + } kfree(arg->ids); } kfree(arg_map->args); - kfree(arg_map); } + kfree(arg_map); } =20 DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_i= ndex, --=20 2.48.1