mds: fix locking, use-after-free/race in handle_accept

We need to hold mds_lock here.

Normally the con also holds a reference, but an ill-timed connection reset
could drop it.

Fixes: #5883
Backport: dumpling, cuttlefish
Signed-off-by: Sage Weil <sage@inktank.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/mds/MDS.cc b/src/mds/MDS.cc
index 7dcf68822aa..092d5ebec65 100644
--- a/src/mds/MDS.cc
+++ b/src/mds/MDS.cc
@@ -2175,10 +2175,10 @@ bool MDS::ms_verify_authorizer(Connection *con, int peer_type,
 
 void MDS::ms_handle_accept(Connection *con)
 {
+  Mutex::Locker l(mds_lock);
   Session *s = static_cast<Session *>(con->get_priv());
   dout(10) << "ms_handle_accept " << con->get_peer_addr() << " con " << con << " session " << s << dendl;
   if (s) {
-    s->put();
     if (s->connection != con) {
       dout(10) << " session connection " << s->connection << " -> " << con << dendl;
       s->connection = con;
@@ -2189,5 +2189,6 @@ void MDS::ms_handle_accept(Connection *con)
 	s->preopen_out_queue.pop_front();
       }
     }
+    s->put();
   }
 }