Message ID | 20221110130159.33319-1-xiubli@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v5] ceph: fix NULL pointer dereference for req->r_session | expand |
On Thu, Nov 10, 2022 at 2:02 PM <xiubli@redhat.com> wrote: > > From: Xiubo Li <xiubli@redhat.com> > > The request's r_session maybe changed when it was forwarded or > resent. Both the forwarding and resending cases the requests will > be protected by the mdsc->mutex. > > Cc: stable@vger.kernel.org > URL: https://bugzilla.redhat.com/show_bug.cgi?id=2137955 > Signed-off-by: Xiubo Li <xiubli@redhat.com> > --- > > Changed in V5: > - simplify the code by removing the "unlikely(s->s_mds >= max_sessions)" check. > > Changed in V4: > - move mdsc->mutex acquisition and max_sessions assignment into "if (req1 || req2)" branch > > > > fs/ceph/caps.c | 48 ++++++++++++------------------------------------ > 1 file changed, 12 insertions(+), 36 deletions(-) > > diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c > index 894adfb4a092..065e9311b607 100644 > --- a/fs/ceph/caps.c > +++ b/fs/ceph/caps.c > @@ -2297,7 +2297,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; > struct ceph_inode_info *ci = ceph_inode(inode); > struct ceph_mds_request *req1 = NULL, *req2 = NULL; > - unsigned int max_sessions; > int ret, err = 0; > > spin_lock(&ci->i_unsafe_lock); > @@ -2315,28 +2314,24 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > } > spin_unlock(&ci->i_unsafe_lock); > > - /* > - * The mdsc->max_sessions is unlikely to be changed > - * mostly, here we will retry it by reallocating the > - * sessions array memory to get rid of the mdsc->mutex > - * lock. > - */ > -retry: > - max_sessions = mdsc->max_sessions; > - > /* > * Trigger to flush the journal logs in all the relevant MDSes > * manually, or in the worst case we must wait at most 5 seconds > * to wait the journal logs to be flushed by the MDSes periodically. > */ > - if ((req1 || req2) && likely(max_sessions)) { > - struct ceph_mds_session **sessions = NULL; > - struct ceph_mds_session *s; > + if (req1 || req2) { > struct ceph_mds_request *req; > + struct ceph_mds_session **sessions; > + struct ceph_mds_session *s; > + unsigned int max_sessions; > int i; > > + mutex_lock(&mdsc->mutex); > + max_sessions = mdsc->max_sessions; > + > sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); > if (!sessions) { > + mutex_unlock(&mdsc->mutex); > err = -ENOMEM; > goto out; > } > @@ -2348,16 +2343,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > s = req->r_session; > if (!s) > continue; > - if (unlikely(s->s_mds >= max_sessions)) { > - spin_unlock(&ci->i_unsafe_lock); > - for (i = 0; i < max_sessions; i++) { > - s = sessions[i]; > - if (s) > - ceph_put_mds_session(s); > - } > - kfree(sessions); > - goto retry; > - } > if (!sessions[s->s_mds]) { > s = ceph_get_mds_session(s); > sessions[s->s_mds] = s; > @@ -2370,16 +2355,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > s = req->r_session; > if (!s) > continue; > - if (unlikely(s->s_mds >= max_sessions)) { > - spin_unlock(&ci->i_unsafe_lock); > - for (i = 0; i < max_sessions; i++) { > - s = sessions[i]; > - if (s) > - ceph_put_mds_session(s); > - } > - kfree(sessions); > - goto retry; > - } > if (!sessions[s->s_mds]) { > s = ceph_get_mds_session(s); > sessions[s->s_mds] = s; > @@ -2391,11 +2366,12 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) > /* the auth MDS */ > spin_lock(&ci->i_ceph_lock); > if (ci->i_auth_cap) { > - s = ci->i_auth_cap->session; > - if (!sessions[s->s_mds]) > - sessions[s->s_mds] = ceph_get_mds_session(s); > + s = ci->i_auth_cap->session; > + if (!sessions[s->s_mds]) > + sessions[s->s_mds] = ceph_get_mds_session(s); > } > spin_unlock(&ci->i_ceph_lock); > + mutex_unlock(&mdsc->mutex); > > /* send flush mdlog request to MDSes */ > for (i = 0; i < max_sessions; i++) { > -- > 2.31.1 > Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Thanks, Ilya
On 10/11/2022 21:48, Ilya Dryomov wrote: > On Thu, Nov 10, 2022 at 2:02 PM <xiubli@redhat.com> wrote: >> From: Xiubo Li <xiubli@redhat.com> >> >> The request's r_session maybe changed when it was forwarded or >> resent. Both the forwarding and resending cases the requests will >> be protected by the mdsc->mutex. >> >> Cc: stable@vger.kernel.org >> URL: https://bugzilla.redhat.com/show_bug.cgi?id=2137955 >> Signed-off-by: Xiubo Li <xiubli@redhat.com> >> --- >> >> Changed in V5: >> - simplify the code by removing the "unlikely(s->s_mds >= max_sessions)" check. >> >> Changed in V4: >> - move mdsc->mutex acquisition and max_sessions assignment into "if (req1 || req2)" branch >> >> >> >> fs/ceph/caps.c | 48 ++++++++++++------------------------------------ >> 1 file changed, 12 insertions(+), 36 deletions(-) >> >> diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c >> index 894adfb4a092..065e9311b607 100644 >> --- a/fs/ceph/caps.c >> +++ b/fs/ceph/caps.c >> @@ -2297,7 +2297,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; >> struct ceph_inode_info *ci = ceph_inode(inode); >> struct ceph_mds_request *req1 = NULL, *req2 = NULL; >> - unsigned int max_sessions; >> int ret, err = 0; >> >> spin_lock(&ci->i_unsafe_lock); >> @@ -2315,28 +2314,24 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> } >> spin_unlock(&ci->i_unsafe_lock); >> >> - /* >> - * The mdsc->max_sessions is unlikely to be changed >> - * mostly, here we will retry it by reallocating the >> - * sessions array memory to get rid of the mdsc->mutex >> - * lock. >> - */ >> -retry: >> - max_sessions = mdsc->max_sessions; >> - >> /* >> * Trigger to flush the journal logs in all the relevant MDSes >> * manually, or in the worst case we must wait at most 5 seconds >> * to wait the journal logs to be flushed by the MDSes periodically. >> */ >> - if ((req1 || req2) && likely(max_sessions)) { >> - struct ceph_mds_session **sessions = NULL; >> - struct ceph_mds_session *s; >> + if (req1 || req2) { >> struct ceph_mds_request *req; >> + struct ceph_mds_session **sessions; >> + struct ceph_mds_session *s; >> + unsigned int max_sessions; >> int i; >> >> + mutex_lock(&mdsc->mutex); >> + max_sessions = mdsc->max_sessions; >> + >> sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); >> if (!sessions) { >> + mutex_unlock(&mdsc->mutex); >> err = -ENOMEM; >> goto out; >> } >> @@ -2348,16 +2343,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> s = req->r_session; >> if (!s) >> continue; >> - if (unlikely(s->s_mds >= max_sessions)) { >> - spin_unlock(&ci->i_unsafe_lock); >> - for (i = 0; i < max_sessions; i++) { >> - s = sessions[i]; >> - if (s) >> - ceph_put_mds_session(s); >> - } >> - kfree(sessions); >> - goto retry; >> - } >> if (!sessions[s->s_mds]) { >> s = ceph_get_mds_session(s); >> sessions[s->s_mds] = s; >> @@ -2370,16 +2355,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> s = req->r_session; >> if (!s) >> continue; >> - if (unlikely(s->s_mds >= max_sessions)) { >> - spin_unlock(&ci->i_unsafe_lock); >> - for (i = 0; i < max_sessions; i++) { >> - s = sessions[i]; >> - if (s) >> - ceph_put_mds_session(s); >> - } >> - kfree(sessions); >> - goto retry; >> - } >> if (!sessions[s->s_mds]) { >> s = ceph_get_mds_session(s); >> sessions[s->s_mds] = s; >> @@ -2391,11 +2366,12 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) >> /* the auth MDS */ >> spin_lock(&ci->i_ceph_lock); >> if (ci->i_auth_cap) { >> - s = ci->i_auth_cap->session; >> - if (!sessions[s->s_mds]) >> - sessions[s->s_mds] = ceph_get_mds_session(s); >> + s = ci->i_auth_cap->session; >> + if (!sessions[s->s_mds]) >> + sessions[s->s_mds] = ceph_get_mds_session(s); >> } >> spin_unlock(&ci->i_ceph_lock); >> + mutex_unlock(&mdsc->mutex); >> >> /* send flush mdlog request to MDSes */ >> for (i = 0; i < max_sessions; i++) { >> -- >> 2.31.1 >> > Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Thanks Ilya! - Xiubo > > Thanks, > > Ilya >
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 894adfb4a092..065e9311b607 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -2297,7 +2297,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; struct ceph_inode_info *ci = ceph_inode(inode); struct ceph_mds_request *req1 = NULL, *req2 = NULL; - unsigned int max_sessions; int ret, err = 0; spin_lock(&ci->i_unsafe_lock); @@ -2315,28 +2314,24 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) } spin_unlock(&ci->i_unsafe_lock); - /* - * The mdsc->max_sessions is unlikely to be changed - * mostly, here we will retry it by reallocating the - * sessions array memory to get rid of the mdsc->mutex - * lock. - */ -retry: - max_sessions = mdsc->max_sessions; - /* * Trigger to flush the journal logs in all the relevant MDSes * manually, or in the worst case we must wait at most 5 seconds * to wait the journal logs to be flushed by the MDSes periodically. */ - if ((req1 || req2) && likely(max_sessions)) { - struct ceph_mds_session **sessions = NULL; - struct ceph_mds_session *s; + if (req1 || req2) { struct ceph_mds_request *req; + struct ceph_mds_session **sessions; + struct ceph_mds_session *s; + unsigned int max_sessions; int i; + mutex_lock(&mdsc->mutex); + max_sessions = mdsc->max_sessions; + sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); if (!sessions) { + mutex_unlock(&mdsc->mutex); err = -ENOMEM; goto out; } @@ -2348,16 +2343,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) s = req->r_session; if (!s) continue; - if (unlikely(s->s_mds >= max_sessions)) { - spin_unlock(&ci->i_unsafe_lock); - for (i = 0; i < max_sessions; i++) { - s = sessions[i]; - if (s) - ceph_put_mds_session(s); - } - kfree(sessions); - goto retry; - } if (!sessions[s->s_mds]) { s = ceph_get_mds_session(s); sessions[s->s_mds] = s; @@ -2370,16 +2355,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) s = req->r_session; if (!s) continue; - if (unlikely(s->s_mds >= max_sessions)) { - spin_unlock(&ci->i_unsafe_lock); - for (i = 0; i < max_sessions; i++) { - s = sessions[i]; - if (s) - ceph_put_mds_session(s); - } - kfree(sessions); - goto retry; - } if (!sessions[s->s_mds]) { s = ceph_get_mds_session(s); sessions[s->s_mds] = s; @@ -2391,11 +2366,12 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) /* the auth MDS */ spin_lock(&ci->i_ceph_lock); if (ci->i_auth_cap) { - s = ci->i_auth_cap->session; - if (!sessions[s->s_mds]) - sessions[s->s_mds] = ceph_get_mds_session(s); + s = ci->i_auth_cap->session; + if (!sessions[s->s_mds]) + sessions[s->s_mds] = ceph_get_mds_session(s); } spin_unlock(&ci->i_ceph_lock); + mutex_unlock(&mdsc->mutex); /* send flush mdlog request to MDSes */ for (i = 0; i < max_sessions; i++) {