qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Ubuntu-focal-kernel/net/ceph
History
Ilya Dryomov e975125dcf libceph: fix race between delayed_work() and ceph_monc_stop() 
BugLink: https://bugs.launchpad.net/bugs/2075175

commit 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 upstream.

The way the delayed work is handled in ceph_monc_stop() is prone to
races with mon_fault() and possibly also finish_hunting().  Both of
these can requeue the delayed work which wouldn't be canceled by any of
the following code in case that happens after cancel_delayed_work_sync()
runs -- __close_session() doesn't mess with the delayed work in order
to avoid interfering with the hunting interval logic.  This part was
missed in commit b5d91704f5 ("libceph: behave in mon_fault() if
cur_mon < 0") and use-after-free can still ensue on monc and objects
that hang off of it, with monc->auth and monc->monmap being
particularly susceptible to quickly being reused.

To fix this:

- clear monc->cur_mon and monc->hunting as part of closing the session
  in ceph_monc_stop()
- bail from delayed_work() if monc->cur_mon is cleared, similar to how
  it's done in mon_fault() and finish_hunting() (based on monc->hunting)
- call cancel_delayed_work_sync() after the session is closed

Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/66857
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 		2024-08-02 16:16:34 +02:00
..
crush
Kconfig
Makefile
armor.c
auth.c
auth_none.c
auth_none.h
auth_x.c
auth_x.h
auth_x_protocol.h
buffer.c
ceph_common.c
ceph_fs.c
ceph_hash.c
ceph_strings.c
cls_lock_client.c
crypto.c
crypto.h
debugfs.c
decode.c
messenger.c libceph: use kernel_connect() 2024-01-05 14:29:54 +01:00
mon_client.c libceph: fix race between delayed_work() and ceph_monc_stop() 2024-08-02 16:16:34 +02:00
msgpool.c
osd_client.c
osdmap.c
pagelist.c
pagevec.c
snapshot.c
string_table.c
striper.c