From: Alex Elder <elder@ieee.org>
To: Ilya Dryomov <ilya.dryomov@inktank.com>, ceph-devel@vger.kernel.org
Subject: Re: [PATCH 07/14] libceph: unregister only registered linger requests
Date: Mon, 30 Jun 2014 08:05:33 -0500 [thread overview]
Message-ID: <53B1609D.3090202@ieee.org> (raw)
In-Reply-To: <1403716607-13535-8-git-send-email-ilya.dryomov@inktank.com>
On 06/25/2014 12:16 PM, Ilya Dryomov wrote:
> Linger requests that have not yet been registered should not be
> unregistered by __unregister_linger_request(). This messes up ref
> count and leads to use-after-free.
This makes sense. The problem can occur when updating the OSD
map. An OSD *client* has its list of linger requests, but they
are not all necessarily registered as associated with the *OSD*.
So the __unregister_linger_request() call in kick_requests()
might pass a not-yet-registered linger request.
It could also occur if a client (like RBD) gets an error after
setting a request to linger but the request has completed
successfully.
Anyway, looks good. This explains why the rename of the
r_linger_osd_item field was helpful.
Reviewed-by: Alex Elder <elder@linaro.org>
>
> Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
> ---
> net/ceph/osd_client.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
> index a9b7ea7bfdc6..12ec553a7e76 100644
> --- a/net/ceph/osd_client.c
> +++ b/net/ceph/osd_client.c
> @@ -1248,7 +1248,9 @@ static void __cancel_request(struct ceph_osd_request *req)
> static void __register_linger_request(struct ceph_osd_client *osdc,
> struct ceph_osd_request *req)
> {
> - dout("__register_linger_request %p\n", req);
> + dout("%s %p tid %llu\n", __func__, req, req->r_tid);
> + WARN_ON(!req->r_linger);
> +
> ceph_osdc_get_request(req);
> list_add_tail(&req->r_linger_item, &osdc->req_linger);
> if (req->r_osd)
> @@ -1259,8 +1261,17 @@ static void __register_linger_request(struct ceph_osd_client *osdc,
> static void __unregister_linger_request(struct ceph_osd_client *osdc,
> struct ceph_osd_request *req)
> {
> - dout("__unregister_linger_request %p\n", req);
> + WARN_ON(!req->r_linger);
> +
> + if (list_empty(&req->r_linger_item)) {
> + dout("%s %p tid %llu not registered\n", __func__, req,
> + req->r_tid);
> + return;
> + }
> +
> + dout("%s %p tid %llu\n", __func__, req, req->r_tid);
> list_del_init(&req->r_linger_item);
> +
> if (req->r_osd) {
> list_del_init(&req->r_linger_osd_item);
> maybe_move_osd_to_lru(osdc, req->r_osd);
>
next prev parent reply other threads:[~2014-06-30 13:05 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-25 17:16 [PATCH 00/14] rbd: #6628 fixes (wip-remove-osd-6628) Ilya Dryomov
2014-06-25 17:16 ` [PATCH 01/14] libceph: rename ceph_osd_request::r_linger_osd to r_linger_osd_item Ilya Dryomov
2014-06-30 12:16 ` Alex Elder
2014-06-25 17:16 ` [PATCH 02/14] libceph: add maybe_move_osd_to_lru() and switch to it Ilya Dryomov
2014-06-30 12:17 ` Alex Elder
2014-06-25 17:16 ` [PATCH 03/14] libceph: move and add dout()s to ceph_msg_{get,put}() Ilya Dryomov
2014-06-30 12:29 ` Alex Elder
2014-07-08 11:12 ` Ilya Dryomov
2014-06-25 17:16 ` [PATCH 04/14] libceph: move and add dout()s to ceph_osdc_request_{get,put}() Ilya Dryomov
2014-06-30 12:32 ` Alex Elder
2014-06-25 17:16 ` [PATCH 05/14] libceph: harden ceph_osdc_request_release() a bit Ilya Dryomov
2014-06-30 12:36 ` Alex Elder
2014-06-25 17:16 ` [PATCH 06/14] libceph: assert both regular and lingering lists in __remove_osd() Ilya Dryomov
2014-06-30 12:37 ` Alex Elder
2014-06-25 17:16 ` [PATCH 07/14] libceph: unregister only registered linger requests Ilya Dryomov
2014-06-30 13:05 ` Alex Elder [this message]
2014-06-30 13:50 ` Alex Elder
2014-06-30 14:21 ` Ilya Dryomov
2014-06-25 17:16 ` [PATCH 08/14] libceph: fix linger request check in __unregister_request() Ilya Dryomov
2014-06-30 13:07 ` Alex Elder
2014-06-25 17:16 ` [PATCH 09/14] libceph: introduce ceph_osdc_cancel_request() Ilya Dryomov
2014-06-30 13:39 ` Alex Elder
2014-06-30 14:34 ` Ilya Dryomov
2014-07-07 13:47 ` Alex Elder
2014-07-08 11:15 ` Ilya Dryomov
2014-07-08 12:58 ` Alex Elder
2014-06-25 17:16 ` [PATCH 10/14] rbd: rbd_obj_request_wait() should cancel the request if interrupted Ilya Dryomov
2014-07-07 16:55 ` Alex Elder
2014-07-08 11:18 ` Ilya Dryomov
2014-07-08 12:17 ` Alex Elder
2014-06-25 17:16 ` [PATCH 11/14] rbd: add rbd_obj_watch_request_helper() helper Ilya Dryomov
2014-07-07 22:36 ` Alex Elder
2014-07-08 11:18 ` Ilya Dryomov
2014-06-25 17:16 ` [PATCH 12/14] rbd: use " Ilya Dryomov
2014-07-07 22:36 ` Alex Elder
2014-06-25 17:16 ` [PATCH 13/14] libceph: nuke ceph_osdc_unregister_linger_request() Ilya Dryomov
2014-07-07 22:36 ` Alex Elder
2014-06-25 17:16 ` [PATCH 14/14] libceph: drop osd ref when canceling con work Ilya Dryomov
2014-07-07 22:38 ` Alex Elder
2014-07-08 11:22 ` Ilya Dryomov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53B1609D.3090202@ieee.org \
--to=elder@ieee.org \
--cc=ceph-devel@vger.kernel.org \
--cc=ilya.dryomov@inktank.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.