diff options
author | Sage Weil <sage@inktank.com> | 2012-10-24 16:12:58 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-11-26 11:38:43 -0800 |
commit | 631015e45ee3bdcde1fe75e7d04fdfece6e42016 (patch) | |
tree | 14b91e053f35fe5a15eae14d61107d72d572dae1 | |
parent | a872024581f2e73edbea6eece56361ce508ea881 (diff) | |
download | lwn-631015e45ee3bdcde1fe75e7d04fdfece6e42016.tar.gz lwn-631015e45ee3bdcde1fe75e7d04fdfece6e42016.zip |
libceph: avoid NULL kref_put when osd reset races with alloc_msg
(cherry picked from commit 9bd952615a42d7e2ce3fa2c632e808e804637a1a)
The ceph_on_in_msg_alloc() method drops con->mutex while it allocates a
message. If that races with a timeout that resends a zillion messages and
resets the connection, and the ->alloc_msg() method returns a NULL message,
it will call ceph_msg_put(NULL) and BUG.
Fix by only calling put if msg is non-NULL.
Fixes http://tracker.newdream.net/issues/3142
Signed-off-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | net/ceph/messenger.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index 84f34c3f3e90..aa71a67450af 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -2746,7 +2746,8 @@ static int ceph_con_in_msg_alloc(struct ceph_connection *con, int *skip) msg = con->ops->alloc_msg(con, hdr, skip); mutex_lock(&con->mutex); if (con->state != CON_STATE_OPEN) { - ceph_msg_put(msg); + if (msg) + ceph_msg_put(msg); return -EAGAIN; } con->in_msg = msg; |