From: Jeff Layton <jlayton@redhat.com>
To: "Yan, Zheng" <zyan@redhat.com>, ceph-devel@vger.kernel.org
Subject: Re: [PATCH 3/5] ceph: fix potential use-after-free
Date: Wed, 05 Apr 2017 13:21:41 -0400 [thread overview]
Message-ID: <1491412901.18658.16.camel@redhat.com> (raw)
In-Reply-To: <20170405013019.5032-3-zyan@redhat.com>
On Wed, 2017-04-05 at 09:30 +0800, Yan, Zheng wrote:
> __unregister_session() free the session if it drops the last
> reference. We should grab an extra reference if we want to use
> session after __unregister_session().
>
> Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
> ---
> fs/ceph/mds_client.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 163f0d3..bf765a8 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -2658,8 +2658,10 @@ static void handle_session(struct ceph_mds_session *session,
> seq = le64_to_cpu(h->seq);
>
> mutex_lock(&mdsc->mutex);
> - if (op == CEPH_SESSION_CLOSE)
> + if (op == CEPH_SESSION_CLOSE) {
> + get_session(session);
> __unregister_session(mdsc, session);
> + }
> /* FIXME: this ttl calculation is generous */
> session->s_ttl = jiffies + HZ*mdsc->mdsmap->m_session_autoclose;
> mutex_unlock(&mdsc->mutex);
> @@ -2748,6 +2750,8 @@ static void handle_session(struct ceph_mds_session *session,
> kick_requests(mdsc, mds);
> mutex_unlock(&mdsc->mutex);
> }
> + if (op == CEPH_SESSION_CLOSE)
> + ceph_put_mds_session(session);
> return;
>
> bad:
> @@ -3148,8 +3152,10 @@ static void check_new_map(struct ceph_mds_client *mdsc,
> if (s->s_state == CEPH_MDS_SESSION_OPENING) {
> /* the session never opened, just close it
> * out now */
> - __wake_requests(mdsc, &s->s_waiting);
> + get_session(s);
> __unregister_session(mdsc, s);
> + __wake_requests(mdsc, &s->s_waiting);
> + ceph_put_mds_session(s);
What about this last bit? Why do we need to __wake_requests after
__unregister_session here? If not for that change then you wouldn't
need to take the extra reference here, AFAICS.
> } else {
> /* just close it */
> mutex_unlock(&mdsc->mutex);
Reviewed-by: Jeff Layton <jlayton@redhat.com>
next prev parent reply other threads:[~2017-04-05 17:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-05 1:30 [PATCH 1/5] ceph: fix wrong check in ceph_renew_caps() Yan, Zheng
2017-04-05 1:30 ` [PATCH 2/5] ceph: allow connecting to mds whose rank >= mdsmap::m_max_mds Yan, Zheng
2017-04-05 4:39 ` Patrick Donnelly
2017-04-05 22:47 ` Luis Henriques
2017-04-05 1:30 ` [PATCH 3/5] ceph: fix potential use-after-free Yan, Zheng
2017-04-05 17:21 ` Jeff Layton [this message]
2017-04-05 23:59 ` Yan, Zheng
2017-04-05 1:30 ` [PATCH 4/5] ceph: close stopped mds' session Yan, Zheng
2017-04-05 1:30 ` [PATCH 5/5] ceph: make seeky readdir more efficiency Yan, Zheng
2017-04-05 14:16 ` [PATCH 1/5] ceph: fix wrong check in ceph_renew_caps() Jeff Layton
2017-04-06 0:04 ` Yan, Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1491412901.18658.16.camel@redhat.com \
--to=jlayton@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=zyan@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.