Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
ceph: fix use after free on mds __unregister_request
There was a use after free in __unregister_request that would trigger
whenever the request map held the last reference. This appears to have
triggered an oops during 'umount -f' when requests are being torn down.
Signed-off-by: Sage Weil <sage@newdream.net>
+2
-1
fs/ceph/mds_client.c
+2
-1
fs/ceph/mds_client.c
···
532
532
dout("__unregister_request %p tid %lld\n", req, req->r_tid);
533
533
rb_erase(&req->r_node, &mdsc->request_tree);
534
534
RB_CLEAR_NODE(&req->r_node);
535
-
ceph_mdsc_put_request(req);
536
535
537
536
if (req->r_unsafe_dir) {
538
537
struct ceph_inode_info *ci = ceph_inode(req->r_unsafe_dir);
···
540
541
list_del_init(&req->r_unsafe_dir_item);
541
542
spin_unlock(&ci->i_unsafe_lock);
542
543
}
544
+
545
+
ceph_mdsc_put_request(req);
543
546
}
544
547
545
548
/*