Message ID | 20221110020828.1899393-1-xiubli@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v4] ceph: fix NULL pointer dereference for req->r_session | expand |
On Thu, Nov 10, 2022 at 3:08 AM <xiubli@redhat.com> wrote: > > From: Xiubo Li <xiubli@redhat.com> > > The request's r_session maybe changed when it was forwarded or > resent. > > Cc: stable@vger.kernel.org > URL: https://bugzilla.redhat.com/show_bug.cgi?id=2137955 > Signed-off-by: Xiubo Li <xiubli@redhat.com> > --- > > Changed in V4: > - move mdsc->mutex acquisition and max_sessions assignment into "if (req1 || req2)" branch > > fs/ceph/caps.c | 54 +++++++++++++++----------------------------------- > 1 file changed, 16 insertions(+), 38 deletions(-) > > diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c > index 894adfb4a092..1c84be839087 100644 > --- a/fs/ceph/caps.c > +++ b/fs/ceph/caps.c > @@ -2297,7 +2297,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; > struct ceph_inode_info *ci = ceph_inode(inode); > struct ceph_mds_request *req1 = NULL, *req2 = NULL; > - unsigned int max_sessions; > int ret, err = 0; > > spin_lock(&ci->i_unsafe_lock); > @@ -2315,28 +2314,24 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > } > spin_unlock(&ci->i_unsafe_lock); > > - /* > - * The mdsc->max_sessions is unlikely to be changed > - * mostly, here we will retry it by reallocating the > - * sessions array memory to get rid of the mdsc->mutex > - * lock. > - */ > -retry: > - max_sessions = mdsc->max_sessions; > - > /* > * Trigger to flush the journal logs in all the relevant MDSes > * manually, or in the worst case we must wait at most 5 seconds > * to wait the journal logs to be flushed by the MDSes periodically. > */ > - if ((req1 || req2) && likely(max_sessions)) { > - struct ceph_mds_session **sessions = NULL; > - struct ceph_mds_session *s; > + if (req1 || req2) { > struct ceph_mds_request *req; > + struct ceph_mds_session **sessions; > + struct ceph_mds_session *s; > + unsigned int max_sessions; > int i; > > + mutex_lock(&mdsc->mutex); > + max_sessions = mdsc->max_sessions; > + > sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); > if (!sessions) { > + mutex_unlock(&mdsc->mutex); > err = -ENOMEM; > goto out; > } > @@ -2346,18 +2341,8 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > list_for_each_entry(req, &ci->i_unsafe_dirops, > r_unsafe_dir_item) { > s = req->r_session; > - if (!s) > + if (!s || unlikely(s->s_mds >= max_sessions)) Hi Xiubo, I would be fine with this patch as is but I'm wondering if it can be simplified further. Now that mdsc->mutex is held while sessions array is populated, is checking s->s_mds against max_sessions actually needed? Is it possible for some req->r_session on one of the unsafe lists to have an "out of bounds" s_mds under mdsc->mutex? Thanks, Ilya
On 10/11/2022 19:49, Ilya Dryomov wrote: > On Thu, Nov 10, 2022 at 3:08 AM <xiubli@redhat.com> wrote: >> From: Xiubo Li <xiubli@redhat.com> >> >> The request's r_session maybe changed when it was forwarded or >> resent. >> >> Cc: stable@vger.kernel.org >> URL: https://bugzilla.redhat.com/show_bug.cgi?id=2137955 >> Signed-off-by: Xiubo Li <xiubli@redhat.com> >> --- >> >> Changed in V4: >> - move mdsc->mutex acquisition and max_sessions assignment into "if (req1 || req2)" branch >> >> fs/ceph/caps.c | 54 +++++++++++++++----------------------------------- >> 1 file changed, 16 insertions(+), 38 deletions(-) >> >> diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c >> index 894adfb4a092..1c84be839087 100644 >> --- a/fs/ceph/caps.c >> +++ b/fs/ceph/caps.c >> @@ -2297,7 +2297,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; >> struct ceph_inode_info *ci = ceph_inode(inode); >> struct ceph_mds_request *req1 = NULL, *req2 = NULL; >> - unsigned int max_sessions; >> int ret, err = 0; >> >> spin_lock(&ci->i_unsafe_lock); >> @@ -2315,28 +2314,24 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> } >> spin_unlock(&ci->i_unsafe_lock); >> >> - /* >> - * The mdsc->max_sessions is unlikely to be changed >> - * mostly, here we will retry it by reallocating the >> - * sessions array memory to get rid of the mdsc->mutex >> - * lock. >> - */ >> -retry: >> - max_sessions = mdsc->max_sessions; >> - >> /* >> * Trigger to flush the journal logs in all the relevant MDSes >> * manually, or in the worst case we must wait at most 5 seconds >> * to wait the journal logs to be flushed by the MDSes periodically. >> */ >> - if ((req1 || req2) && likely(max_sessions)) { >> - struct ceph_mds_session **sessions = NULL; >> - struct ceph_mds_session *s; >> + if (req1 || req2) { >> struct ceph_mds_request *req; >> + struct ceph_mds_session **sessions; >> + struct ceph_mds_session *s; >> + unsigned int max_sessions; >> int i; >> >> + mutex_lock(&mdsc->mutex); >> + max_sessions = mdsc->max_sessions; >> + >> sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); >> if (!sessions) { >> + mutex_unlock(&mdsc->mutex); >> err = -ENOMEM; >> goto out; >> } >> @@ -2346,18 +2341,8 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> list_for_each_entry(req, &ci->i_unsafe_dirops, >> r_unsafe_dir_item) { >> s = req->r_session; >> - if (!s) >> + if (!s || unlikely(s->s_mds >= max_sessions)) > Hi Xiubo, > > I would be fine with this patch as is but I'm wondering if it can be > simplified further. Now that mdsc->mutex is held while sessions array > is populated, is checking s->s_mds against max_sessions actually > needed? Is it possible for some req->r_session on one of the unsafe > lists to have an "out of bounds" s_mds under mdsc->mutex? Yeah, this can be simplified. Let me do that. Thanks! - Xiubo > > Thanks, > > Ilya >
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 894adfb4a092..1c84be839087 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -2297,7 +2297,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; struct ceph_inode_info *ci = ceph_inode(inode); struct ceph_mds_request *req1 = NULL, *req2 = NULL; - unsigned int max_sessions; int ret, err = 0; spin_lock(&ci->i_unsafe_lock); @@ -2315,28 +2314,24 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) } spin_unlock(&ci->i_unsafe_lock); - /* - * The mdsc->max_sessions is unlikely to be changed - * mostly, here we will retry it by reallocating the - * sessions array memory to get rid of the mdsc->mutex - * lock. - */ -retry: - max_sessions = mdsc->max_sessions; - /* * Trigger to flush the journal logs in all the relevant MDSes * manually, or in the worst case we must wait at most 5 seconds * to wait the journal logs to be flushed by the MDSes periodically. */ - if ((req1 || req2) && likely(max_sessions)) { - struct ceph_mds_session **sessions = NULL; - struct ceph_mds_session *s; + if (req1 || req2) { struct ceph_mds_request *req; + struct ceph_mds_session **sessions; + struct ceph_mds_session *s; + unsigned int max_sessions; int i; + mutex_lock(&mdsc->mutex); + max_sessions = mdsc->max_sessions; + sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); if (!sessions) { + mutex_unlock(&mdsc->mutex); err = -ENOMEM; goto out; } @@ -2346,18 +2341,8 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) list_for_each_entry(req, &ci->i_unsafe_dirops, r_unsafe_dir_item) { s = req->r_session; - if (!s) + if (!s || unlikely(s->s_mds >= max_sessions)) continue; - if (unlikely(s->s_mds >= max_sessions)) { - spin_unlock(&ci->i_unsafe_lock); - for (i = 0; i < max_sessions; i++) { - s = sessions[i]; - if (s) - ceph_put_mds_session(s); - } - kfree(sessions); - goto retry; - } if (!sessions[s->s_mds]) { s = ceph_get_mds_session(s); sessions[s->s_mds] = s; @@ -2368,18 +2353,8 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) list_for_each_entry(req, &ci->i_unsafe_iops, r_unsafe_target_item) { s = req->r_session; - if (!s) + if (!s || unlikely(s->s_mds >= max_sessions)) continue; - if (unlikely(s->s_mds >= max_sessions)) { - spin_unlock(&ci->i_unsafe_lock); - for (i = 0; i < max_sessions; i++) { - s = sessions[i]; - if (s) - ceph_put_mds_session(s); - } - kfree(sessions); - goto retry; - } if (!sessions[s->s_mds]) { s = ceph_get_mds_session(s); sessions[s->s_mds] = s; @@ -2391,11 +2366,14 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) /* the auth MDS */ spin_lock(&ci->i_ceph_lock); if (ci->i_auth_cap) { - s = ci->i_auth_cap->session; - if (!sessions[s->s_mds]) - sessions[s->s_mds] = ceph_get_mds_session(s); + s = ci->i_auth_cap->session; + if (likely(s->s_mds < max_sessions) && + !sessions[s->s_mds]) { + sessions[s->s_mds] = ceph_get_mds_session(s); + } } spin_unlock(&ci->i_ceph_lock); + mutex_unlock(&mdsc->mutex); /* send flush mdlog request to MDSes */ for (i = 0; i < max_sessions; i++) {