diff options
author | Sage Weil <sage@inktank.com> | 2013-08-05 12:52:44 -0700 |
---|---|---|
committer | Sage Weil <sage@inktank.com> | 2013-08-05 12:52:44 -0700 |
commit | a0929955cb84fb8cfdeb551d6863e4955b8e2a71 (patch) | |
tree | d884f16810d72e0b5c2aa17263f6b9db1f209ed9 | |
parent | e8d72ef0402a42c8aa8ea624497d13db81d5e361 (diff) | |
download | ceph-a0929955cb84fb8cfdeb551d6863e4955b8e2a71.tar.gz |
mds: fix locking, use-after-free/race in handle_accept
We need to hold mds_lock here.
Normally the con also holds a reference, but an ill-timed connection reset
could drop it.
Fixes: #5883
Backport: dumpling, cuttlefish
Signed-off-by: Sage Weil <sage@inktank.com>
-rw-r--r-- | src/mds/MDS.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/mds/MDS.cc b/src/mds/MDS.cc index 7dcf68822aa..092d5ebec65 100644 --- a/src/mds/MDS.cc +++ b/src/mds/MDS.cc @@ -2175,10 +2175,10 @@ bool MDS::ms_verify_authorizer(Connection *con, int peer_type, void MDS::ms_handle_accept(Connection *con) { + Mutex::Locker l(mds_lock); Session *s = static_cast<Session *>(con->get_priv()); dout(10) << "ms_handle_accept " << con->get_peer_addr() << " con " << con << " session " << s << dendl; if (s) { - s->put(); if (s->connection != con) { dout(10) << " session connection " << s->connection << " -> " << con << dendl; s->connection = con; @@ -2189,5 +2189,6 @@ void MDS::ms_handle_accept(Connection *con) s->preopen_out_queue.pop_front(); } } + s->put(); } } |