From: Sage Weil Date: Mon, 29 Mar 2010 04:22:50 +0000 (-0700) Subject: ceph: fix use after free on mds __unregister_request X-Git-Tag: firefly_0821_release~9833^2~2459^2~2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=94aa8ae13db2ecf2ec1b4e65a65d3fe92b468e0e;p=firefly-linux-kernel-4.4.55.git ceph: fix use after free on mds __unregister_request There was a use after free in __unregister_request that would trigger whenever the request map held the last reference. This appears to have triggered an oops during 'umount -f' when requests are being torn down. Signed-off-by: Sage Weil --- diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 5268d404963c..5c7920be6420 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -532,7 +532,6 @@ static void __unregister_request(struct ceph_mds_client *mdsc, dout("__unregister_request %p tid %lld\n", req, req->r_tid); rb_erase(&req->r_node, &mdsc->request_tree); RB_CLEAR_NODE(&req->r_node); - ceph_mdsc_put_request(req); if (req->r_unsafe_dir) { struct ceph_inode_info *ci = ceph_inode(req->r_unsafe_dir); @@ -541,6 +540,8 @@ static void __unregister_request(struct ceph_mds_client *mdsc, list_del_init(&req->r_unsafe_dir_item); spin_unlock(&ci->i_unsafe_lock); } + + ceph_mdsc_put_request(req); } /*