On Mon, Jun 30, 2014 at 5:50 PM, Alex Elder <[email protected]> wrote:
> On 06/25/2014 12:16 PM, Ilya Dryomov wrote:
>> Linger requests that have not yet been registered should not be
>> unregistered by __unregister_linger_request(). This messes up ref
>> count and leads to use-after-free.
>>
>> Signed-off-by: Ilya Dryomov <[email protected]>
>> ---
>> net/ceph/osd_client.c | 15 +++++++++++++--
>> 1 file changed, 13 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
>> index a9b7ea7bfdc6..12ec553a7e76 100644
>> --- a/net/ceph/osd_client.c
>> +++ b/net/ceph/osd_client.c
>> @@ -1248,7 +1248,9 @@ static void __cancel_request(struct ceph_osd_request
>> *req)
>> static void __register_linger_request(struct ceph_osd_client *osdc,
>> struct ceph_osd_request *req)
>> {
>> - dout("__register_linger_request %p\n", req);
>> + dout("%s %p tid %llu\n", __func__, req, req->r_tid);
>> + WARN_ON(!req->r_linger);
>> +
>> ceph_osdc_get_request(req);
>> list_add_tail(&req->r_linger_item, &osdc->req_linger);
>> if (req->r_osd)
>> @@ -1259,8 +1261,17 @@ static void __register_linger_request(struct
>> ceph_osd_client *osdc,
>> static void __unregister_linger_request(struct ceph_osd_client *osdc,
>> struct ceph_osd_request *req)
>> {
>> - dout("__unregister_linger_request %p\n", req);
>> + WARN_ON(!req->r_linger);
>
>
> I just noticed something. ceph_osdc_unregister_linger_request()
> clears req->r_linger before calling __unregister_linger_request(),
> which means this warning must be tripping a lot...
>
> Just delete that assignment in ceph_osdc_unregister_linger_request()
> as part of this commit.
ceph_osdc_unregister_linger_request() is removed entirely later in the
series.
Thanks,
Ilya
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
