admin/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-12-07 20:06:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

ceph: fix potential use-after-free bug when trimming caps

Browse Source 
When trimming the caps and just after the 'session->s_cap_lock' is
released in ceph_iterate_session_caps() the cap maybe removed by
another thread, and when using the stale cap memory in the callbacks
it will trigger use-after-free crash.

We need to check the existence of the cap just after the 'ci->i_ceph_lock'
being acquired. And do nothing if it's already removed.

Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/43272
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Luís Henriques <lhenriques@suse.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
This commit is contained in:
Xiubo Li
2023-04-19 10:39:14 +08:00
committed by Ilya Dryomov
parent 7d41870d65
commit aaf67de788
5 changed files with 61 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
fs/ceph/debugfs.c
View File

@@ -248,14 +248,20 @@ static int metrics_caps_show(struct seq_file *s, void *p)
return 0;
}
static int caps_show_cb(struct inode *inode, struct ceph_cap *cap, void *p)
static int caps_show_cb(struct inode *inode, int mds, void *p)
{
struct ceph_inode_info *ci = ceph_inode(inode);
struct seq_file *s = p;
struct ceph_cap *cap;
seq_printf(s, "0x%-17llx%-3d%-17s%-17s\n", ceph_ino(inode),
cap->session->s_mds,
ceph_cap_string(cap->issued),
ceph_cap_string(cap->implemented));
spin_lock(&ci->i_ceph_lock);
cap = __get_cap_for_mds(ci, mds);
if (cap)
seq_printf(s, "0x%-17llx%-3d%-17s%-17s\n", ceph_ino(inode),
cap->session->s_mds,
ceph_cap_string(cap->issued),
ceph_cap_string(cap->implemented));
spin_unlock(&ci->i_ceph_lock);
return 0;
}