iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rbd: call rbd_dev_unprobe() after unwatching and flushing notifies

Browse Source 
[ Upstream commit 952c48b0ed ]

rbd_dev_unprobe() is supposed to undo most of rbd_dev_image_probe(),
including rbd_dev_header_info(), which means that rbd_dev_header_info()
isn't supposed to be called after rbd_dev_unprobe().

However, rbd_dev_image_release() calls rbd_dev_unprobe() before
rbd_unregister_watch().  This is racy because a header update notify
can sneak in:

  "rbd unmap" thread                   ceph-watch-notify worker

  rbd_dev_image_release()
    rbd_dev_unprobe()
      free and zero out header
                                       rbd_watch_cb()
                                         rbd_dev_refresh()
                                           rbd_dev_header_info()
                                             read in header

The same goes for "rbd map" because rbd_dev_image_probe() calls
rbd_dev_unprobe() on errors.  In both cases this results in a memory
leak.

Fixes: fd22aef8b4 ("rbd: move rbd_unregister_watch() call into rbd_dev_image_release()")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Ilya Dryomov
2020-03-16 15:52:54 +01:00
committed by Greg Kroah-Hartman
parent 88a57e387c
commit d662b44161
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/block/rbd.c
View File

@ -6933,9 +6933,10 @@ static int rbd_dev_header_name(struct rbd_device *rbd_dev)
static void rbd_dev_image_release(struct rbd_device *rbd_dev) static void rbd_dev_image_release(struct rbd_device *rbd_dev)
{ {
rbd_dev_unprobe(rbd_dev);
if (rbd_dev->opts) if (rbd_dev->opts)
rbd_unregister_watch(rbd_dev); rbd_unregister_watch(rbd_dev);
rbd_dev_unprobe(rbd_dev);
rbd_dev->image_format = 0; rbd_dev->image_format = 0;
kfree(rbd_dev->spec->image_id); kfree(rbd_dev->spec->image_id);
rbd_dev->spec->image_id = NULL; rbd_dev->spec->image_id = NULL;
@ -6986,7 +6987,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
ret = rbd_dev_header_info(rbd_dev); ret = rbd_dev_header_info(rbd_dev);
if (ret) if (ret)
goto err_out_watch; goto err_out_probe;
/* /*
* If this image is the one being mapped, we have pool name and * If this image is the one being mapped, we have pool name and
@ -7035,12 +7036,11 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
return 0; return 0;
err_out_probe: err_out_probe:
rbd_dev_unprobe(rbd_dev);
err_out_watch:
if (!depth) if (!depth)
up_write(&rbd_dev->header_rwsem); up_write(&rbd_dev->header_rwsem);
if (!depth) if (!depth)
rbd_unregister_watch(rbd_dev); rbd_unregister_watch(rbd_dev);
rbd_dev_unprobe(rbd_dev);
err_out_format: err_out_format:
rbd_dev->image_format = 0; rbd_dev->image_format = 0;
kfree(rbd_dev->spec->image_id); kfree(rbd_dev->spec->image_id);