Commit 94aa8ae1 authored by Sage Weil's avatar Sage Weil

ceph: fix use after free on mds __unregister_request

There was a use after free in __unregister_request that would trigger
whenever the request map held the last reference.  This appears to have
triggered an oops during 'umount -f' when requests are being torn down.
Signed-off-by: default avatarSage Weil <sage@newdream.net>
parent 23ab15ad
...@@ -532,7 +532,6 @@ static void __unregister_request(struct ceph_mds_client *mdsc, ...@@ -532,7 +532,6 @@ static void __unregister_request(struct ceph_mds_client *mdsc,
dout("__unregister_request %p tid %lld\n", req, req->r_tid); dout("__unregister_request %p tid %lld\n", req, req->r_tid);
rb_erase(&req->r_node, &mdsc->request_tree); rb_erase(&req->r_node, &mdsc->request_tree);
RB_CLEAR_NODE(&req->r_node); RB_CLEAR_NODE(&req->r_node);
ceph_mdsc_put_request(req);
if (req->r_unsafe_dir) { if (req->r_unsafe_dir) {
struct ceph_inode_info *ci = ceph_inode(req->r_unsafe_dir); struct ceph_inode_info *ci = ceph_inode(req->r_unsafe_dir);
...@@ -541,6 +540,8 @@ static void __unregister_request(struct ceph_mds_client *mdsc, ...@@ -541,6 +540,8 @@ static void __unregister_request(struct ceph_mds_client *mdsc,
list_del_init(&req->r_unsafe_dir_item); list_del_init(&req->r_unsafe_dir_item);
spin_unlock(&ci->i_unsafe_lock); spin_unlock(&ci->i_unsafe_lock);
} }
ceph_mdsc_put_request(req);
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment