diff options
| author | Xiubo Li <xiubli@redhat.com> | 2021-08-18 21:38:42 +0800 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2021-08-25 16:34:11 +0200 |
| commit | b2f9fa1f3bd8846f50b355fc2168236975c4d264 (patch) | |
| tree | e0aee74a8b50c39d3628a9d772911b740e8fbcbb /fs/ceph/super.h | |
| parent | e22ce8eb631bdc47a4a4ea7ecf4e4ba499db4f93 (diff) | |
ceph: correctly handle releasing an embedded cap flush
The ceph_cap_flush structures are usually dynamically allocated, but
the ceph_cap_snap has an embedded one.
When force umounting, the client will try to remove all the session
caps. During this, it will free them, but that should not be done
with the ones embedded in a capsnap.
Fix this by adding a new boolean that indicates that the cap flush is
embedded in a capsnap, and skip freeing it if that's set.
At the same time, switch to using list_del_init() when detaching the
i_list and g_list heads. It's possible for a forced umount to remove
these objects but then handle_cap_flushsnap_ack() races in and does the
list_del_init() again, corrupting memory.
Cc: stable@vger.kernel.org
URL: https://tracker.ceph.com/issues/52283
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'fs/ceph/super.h')
| -rw-r--r-- | fs/ceph/super.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/ceph/super.h b/fs/ceph/super.h index 9215a2f4535c..b1a363641beb 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -182,8 +182,9 @@ struct ceph_cap { struct ceph_cap_flush { u64 tid; - int caps; /* 0 means capsnap */ + int caps; bool wake; /* wake up flush waiters when finish ? */ + bool is_capsnap; /* true means capsnap */ struct list_head g_list; // global struct list_head i_list; // per inode }; |