diff options
author | Xiubo Li <xiubli@redhat.com> | 2023-04-19 10:39:14 +0800 |
---|---|---|
committer | Ilya Dryomov <idryomov@gmail.com> | 2023-04-30 12:37:28 +0200 |
commit | aaf67de78807c59c35bafb5003d4fb457c764800 (patch) | |
tree | ca4240b921c125f5ec462f01284da73f6b182ca4 /fs/ceph/mds_client.h | |
parent | 7d41870d65db028234333c68e60a034ac335557a (diff) | |
download | linux-aaf67de78807c59c35bafb5003d4fb457c764800.tar.gz linux-aaf67de78807c59c35bafb5003d4fb457c764800.tar.bz2 linux-aaf67de78807c59c35bafb5003d4fb457c764800.zip |
ceph: fix potential use-after-free bug when trimming caps
When trimming the caps and just after the 'session->s_cap_lock' is
released in ceph_iterate_session_caps() the cap maybe removed by
another thread, and when using the stale cap memory in the callbacks
it will trigger use-after-free crash.
We need to check the existence of the cap just after the 'ci->i_ceph_lock'
being acquired. And do nothing if it's already removed.
Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/43272
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Luís Henriques <lhenriques@suse.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'fs/ceph/mds_client.h')
-rw-r--r-- | fs/ceph/mds_client.h | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h index 0598faa50e2e..18b026b1ac63 100644 --- a/fs/ceph/mds_client.h +++ b/fs/ceph/mds_client.h @@ -541,8 +541,7 @@ extern void ceph_flush_cap_releases(struct ceph_mds_client *mdsc, extern void ceph_queue_cap_reclaim_work(struct ceph_mds_client *mdsc); extern void ceph_reclaim_caps_nr(struct ceph_mds_client *mdsc, int nr); extern int ceph_iterate_session_caps(struct ceph_mds_session *session, - int (*cb)(struct inode *, - struct ceph_cap *, void *), + int (*cb)(struct inode *, int mds, void *), void *arg); extern void ceph_mdsc_pre_umount(struct ceph_mds_client *mdsc); |