A fix for a possible use-after-free following "rbd unmap" or "umount"

marked for stable and two kernel-doc fixups. -----BEGIN PGP SIGNATURE----- iQFHBAABCAAxFiEEydHwtzie9C7TfviiSn/eOAIR84sFAmaRXKYTHGlkcnlvbW92 QGdtYWlsLmNvbQAKCRBKf944AhHzi4l2B/9a9jLU/CJwNdvq2wkMn7wis9QlXaz9 shIAefqvCY92pCAbsyHjbG6OnY5hU/eI1l64pnzws8aTtAt4kuhnTwQAMjUIPbjg 6ji1IkDu5Z9csiVxZ0R4KAzjcEOAxnv/TeGMu1FgpRwTvKXqThotHt3N/pm6Nj6x iJlxNpDBgUXjjdOc2Kd6kTVZ2CJwOhaTjMyXphxNbhCIO+2ULHWf0VZecTG4oKbO C7C4fJe+gsJl0GsjzlbTwrj50WTSsKP+QBc6cxutFIaUCO52wgf7k5EBs+5JXb7s mkioLXxS+9Iz58OIrtbW6vMVp35MDSSc8NNRd3uUzsMwIYiU9Uvg38+j =em4x -----END PGP SIGNATURE----- Merge tag 'ceph-for-6.10-rc8' of https://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "A fix for a possible use-after-free following "rbd unmap" or "umount" marked for stable and two kernel-doc fixups" * tag 'ceph-for-6.10-rc8' of https://github.com/ceph/ceph-client: libceph: fix crush_choose_firstn() kernel-doc warnings libceph: suppress crush_choose_indep() kernel-doc warnings libceph: fix race between delayed_work() and ceph_monc_stop()
2024-07-12 10:39:29 -07:00 · 2024-07-12 10:39:29 -07:00 · a52ff901a1
commit a52ff901a1
parent ac6a9e07a7 359bc01d2e
2 changed files with 17 additions and 4 deletions
--- a/net/ceph/crush/mapper.c
+++ b/net/ceph/crush/mapper.c
@ -429,7 +429,10 @@ static int is_out(const struct crush_map *map,
 /**
 * crush_choose_firstn - choose numrep distinct items of given type
 * @map: the crush_map
+ * @work: working space initialized by crush_init_workspace()
 * @bucket: the bucket we are choose an item from
+ * @weight: weight vector (for map leaves)
+ * @weight_max: size of weight vector
 * @x: crush input value
 * @numrep: the number of items to choose
 * @type: the type of item to choose
@ -445,6 +448,7 @@ static int is_out(const struct crush_map *map,
 * @vary_r: pass r to recursive calls
 * @out2: second output vector for leaf items (if @recurse_to_leaf)
 * @parent_r: r value passed from the parent
+ * @choose_args: weights and ids for each known bucket
 */
 static int crush_choose_firstn(const struct crush_map *map,
 			       struct crush_work *work,
@ -636,9 +640,8 @@ reject:
 }


-/**
+/*
 * crush_choose_indep: alternative breadth-first positionally stable mapping
- *
 */
 static void crush_choose_indep(const struct crush_map *map,
 			       struct crush_work *work,
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@ -1085,13 +1085,19 @@ static void delayed_work(struct work_struct *work)
 	struct ceph_mon_client *monc =
 		container_of(work, struct ceph_mon_client, delayed_work.work);

-	dout("monc delayed_work\n");
 	mutex_lock(&monc->mutex);
+	dout("%s mon%d\n", __func__, monc->cur_mon);
+	if (monc->cur_mon < 0) {
+		goto out;
+	}
+
 	if (monc->hunting) {
 		dout("%s continuing hunt\n", __func__);
 		reopen_session(monc);
 	} else {
 		int is_auth = ceph_auth_is_authenticated(monc->auth);
+
+		dout("%s is_authed %d\n", __func__, is_auth);
 		if (ceph_con_keepalive_expired(&monc->con,
 					       CEPH_MONC_PING_TIMEOUT)) {
 			dout("monc keepalive timeout\n");
@ -1116,6 +1122,8 @@ static void delayed_work(struct work_struct *work)
 		}
 	}
 	__schedule_delayed(monc);
+
+out:
 	mutex_unlock(&monc->mutex);
 }

@ -1232,13 +1240,15 @@ EXPORT_SYMBOL(ceph_monc_init);
 void ceph_monc_stop(struct ceph_mon_client *monc)
 {
 	dout("stop\n");
-	cancel_delayed_work_sync(&monc->delayed_work);

 	mutex_lock(&monc->mutex);
 	__close_session(monc);
+	monc->hunting = false;
 	monc->cur_mon = -1;
 	mutex_unlock(&monc->mutex);

+	cancel_delayed_work_sync(&monc->delayed_work);
+
 	/*
 	 * flush msgr queue before we destroy ourselves to ensure that:
 	 *  - any work that references our embedded con is finished.