* [PATCH] libceph: avoid NULL kref_put when osd reset races with alloc_msg
@ 2012-10-24 23:20 Sage Weil
2012-10-25 14:28 ` Alex Elder
0 siblings, 1 reply; 3+ messages in thread
From: Sage Weil @ 2012-10-24 23:20 UTC (permalink / raw)
To: ceph-devel; +Cc: Sage Weil
The ceph_on_in_msg_alloc() method drops con->mutex while it allocates a
message. If that races with a timeout that resends a zillion messages and
resets the connection, and the ->alloc_msg() method returns a NULL message,
it will call ceph_msg_put(NULL) and BUG.
Fix by only calling put if msg is non-NULL.
Fixes http://tracker.newdream.net/issues/3142
Signed-off-by: Sage Weil <sage@inktank.com>
---
net/ceph/messenger.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 66f6f56..1041114 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2742,7 +2742,8 @@ static int ceph_con_in_msg_alloc(struct ceph_connection *con, int *skip)
msg = con->ops->alloc_msg(con, hdr, skip);
mutex_lock(&con->mutex);
if (con->state != CON_STATE_OPEN) {
- ceph_msg_put(msg);
+ if (msg)
+ ceph_msg_put(msg);
return -EAGAIN;
}
con->in_msg = msg;
--
1.7.9
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] libceph: avoid NULL kref_put when osd reset races with alloc_msg
2012-10-24 23:20 [PATCH] libceph: avoid NULL kref_put when osd reset races with alloc_msg Sage Weil
@ 2012-10-25 14:28 ` Alex Elder
2012-10-25 15:50 ` Sage Weil
0 siblings, 1 reply; 3+ messages in thread
From: Alex Elder @ 2012-10-25 14:28 UTC (permalink / raw)
To: Sage Weil; +Cc: ceph-devel
On 10/24/2012 06:20 PM, Sage Weil wrote:
> The ceph_on_in_msg_alloc() method drops con->mutex while it allocates a
> message. If that races with a timeout that resends a zillion messages and
> resets the connection, and the ->alloc_msg() method returns a NULL message,
> it will call ceph_msg_put(NULL) and BUG.
The fix is the right thing to do, but your explanation is wrong.
If msg is null at that point, it's because con->ops->alloc_msg()
failed, and has nothing to do with the mutex state.
So yes, the returned pointer should be checked for null before
dropping a reference, but that's all there is to it...
Perhaps it's the zillion messages that are leading to the
message allocation failure somehow.
> Fix by only calling put if msg is non-NULL.
>
> Fixes http://tracker.newdream.net/issues/3142
Is that the right bug number?
>
> Signed-off-by: Sage Weil <sage@inktank.com>
Please fix the explanation, but otherwise this looks good.
Reviewed-by: Alex Elder <elder@inktank.com>
> net/ceph/messenger.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
> index 66f6f56..1041114 100644
> --- a/net/ceph/messenger.c
> +++ b/net/ceph/messenger.c
> @@ -2742,7 +2742,8 @@ static int ceph_con_in_msg_alloc(struct ceph_connection *con, int *skip)
> msg = con->ops->alloc_msg(con, hdr, skip);
> mutex_lock(&con->mutex);
> if (con->state != CON_STATE_OPEN) {
> - ceph_msg_put(msg);
> + if (msg)
> + ceph_msg_put(msg);
> return -EAGAIN;
> }
> con->in_msg = msg;
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] libceph: avoid NULL kref_put when osd reset races with alloc_msg
2012-10-25 14:28 ` Alex Elder
@ 2012-10-25 15:50 ` Sage Weil
0 siblings, 0 replies; 3+ messages in thread
From: Sage Weil @ 2012-10-25 15:50 UTC (permalink / raw)
To: Alex Elder; +Cc: ceph-devel
On Thu, 25 Oct 2012, Alex Elder wrote:
> On 10/24/2012 06:20 PM, Sage Weil wrote:
> > The ceph_on_in_msg_alloc() method drops con->mutex while it allocates a
> > message. If that races with a timeout that resends a zillion messages and
> > resets the connection, and the ->alloc_msg() method returns a NULL message,
> > it will call ceph_msg_put(NULL) and BUG.
>
> The fix is the right thing to do, but your explanation is wrong.
> If msg is null at that point, it's because con->ops->alloc_msg()
> failed, and has nothing to do with the mutex state.
>
> So yes, the returned pointer should be checked for null before
> dropping a reference, but that's all there is to it...
>
> Perhaps it's the zillion messages that are leading to the
> message allocation failure somehow.
Right, fixed that up.
> > Fix by only calling put if msg is non-NULL.
> >
> > Fixes http://tracker.newdream.net/issues/3142
>
> Is that the right bug number?
Nope! Sigh.
> > Signed-off-by: Sage Weil <sage@inktank.com>
>
> Please fix the explanation, but otherwise this looks good.
>
> Reviewed-by: Alex Elder <elder@inktank.com>
Thanks! Repushed to the testing branch.
sage
>
> > net/ceph/messenger.c | 3 ++-
> > 1 files changed, 2 insertions(+), 1 deletions(-)
> >
> > diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
> > index 66f6f56..1041114 100644
> > --- a/net/ceph/messenger.c
> > +++ b/net/ceph/messenger.c
> > @@ -2742,7 +2742,8 @@ static int ceph_con_in_msg_alloc(struct ceph_connection *con, int *skip)
> > msg = con->ops->alloc_msg(con, hdr, skip);
> > mutex_lock(&con->mutex);
> > if (con->state != CON_STATE_OPEN) {
> > - ceph_msg_put(msg);
> > + if (msg)
> > + ceph_msg_put(msg);
> > return -EAGAIN;
> > }
> > con->in_msg = msg;
> >
>
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-10-25 15:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-24 23:20 [PATCH] libceph: avoid NULL kref_put when osd reset races with alloc_msg Sage Weil
2012-10-25 14:28 ` Alex Elder
2012-10-25 15:50 ` Sage Weil
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.