ceph: fix null pointer dereference in discard_cap_releases()

commit 00bd8edb861eb41d274938cfc0338999d9c593a3 upstream. send_mds_reconnect() may call discard_cap_releases() after all release messages have been dropped by cleanup_cap_releases() Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com> Reviewed-by: Sage Weil <sage@inktank.com> Cc: Markus Blank-Burian <burian@muenster.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ceph: fix null pointer dereference in discard_cap_releases()
commit 00bd8edb861eb41d274938cfc0338999d9c593a3 upstream. send_mds_reconnect() may call discard_cap_releases() after all release messages have been dropped by cleanup_cap_releases() Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com> Reviewed-by: Sage Weil <sage@inktank.com> Cc: Markus Blank-Burian <burian@muenster.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yan, Zheng · Greg Kroah-Hartman
1 parent e3de52b760
Showing 1 changed file with 12 additions and 9 deletions Side-by-side Diff
fs/ceph/mds_client.c
@@ -1461,15 +1461,18 @@
  
 	dout("discard_cap_releases mds%d\n", session->s_mds);
  
-	/* zero out the in-progress message */
-	msg = list_first_entry(&session->s_cap_releases,
-			       struct ceph_msg, list_head);
-	head = msg->front.iov_base;
-	num = le32_to_cpu(head->num);
-	dout("discard_cap_releases mds%d %p %u\n", session->s_mds, msg, num);
-	head->num = cpu_to_le32(0);
-	msg->front.iov_len = sizeof(*head);
-	session->s_num_cap_releases += num;
+	if (!list_empty(&session->s_cap_releases)) {
+		/* zero out the in-progress message */
+		msg = list_first_entry(&session->s_cap_releases,
+					struct ceph_msg, list_head);
+		head = msg->front.iov_base;
+		num = le32_to_cpu(head->num);
+		dout("discard_cap_releases mds%d %p %u\n",
+		     session->s_mds, msg, num);
+		head->num = cpu_to_le32(0);
+		msg->front.iov_len = sizeof(*head);
+		session->s_num_cap_releases += num;
+	}
  
 	/* requeue completed messages */
 	while (!list_empty(&session->s_cap_releases_done)) {
...	...	@@ -1461,15 +1461,18 @@
1461	1461
1462	1462	dout("discard_cap_releases mds%d\n", session->s_mds);
1463	1463
1464		- /* zero out the in-progress message */
1465		- msg = list_first_entry(&session->s_cap_releases,
1466		- struct ceph_msg, list_head);
1467		- head = msg->front.iov_base;
1468		- num = le32_to_cpu(head->num);
1469		- dout("discard_cap_releases mds%d %p %u\n", session->s_mds, msg, num);
1470		- head->num = cpu_to_le32(0);
1471		- msg->front.iov_len = sizeof(*head);
1472		- session->s_num_cap_releases += num;
	1464	+ if (!list_empty(&session->s_cap_releases)) {
	1465	+ /* zero out the in-progress message */
	1466	+ msg = list_first_entry(&session->s_cap_releases,
	1467	+ struct ceph_msg, list_head);
	1468	+ head = msg->front.iov_base;
	1469	+ num = le32_to_cpu(head->num);
	1470	+ dout("discard_cap_releases mds%d %p %u\n",
	1471	+ session->s_mds, msg, num);
	1472	+ head->num = cpu_to_le32(0);
	1473	+ msg->front.iov_len = sizeof(*head);
	1474	+ session->s_num_cap_releases += num;
	1475	+ }
1473	1476
1474	1477	/* requeue completed messages */
1475	1478	while (!list_empty(&session->s_cap_releases_done)) {