linux/net/ceph
Ilya Dryomov 9525af1f58 libceph: fix race between delayed_work() and ceph_monc_stop()
commit 69c7b2fe4c upstream.

The way the delayed work is handled in ceph_monc_stop() is prone to
races with mon_fault() and possibly also finish_hunting().  Both of
these can requeue the delayed work which wouldn't be canceled by any of
the following code in case that happens after cancel_delayed_work_sync()
runs -- __close_session() doesn't mess with the delayed work in order
to avoid interfering with the hunting interval logic.  This part was
missed in commit b5d91704f5 ("libceph: behave in mon_fault() if
cur_mon < 0") and use-after-free can still ensue on monc and objects
that hang off of it, with monc->auth and monc->monmap being
particularly susceptible to quickly being reused.

To fix this:

- clear monc->cur_mon and monc->hunting as part of closing the session
  in ceph_monc_stop()
- bail from delayed_work() if monc->cur_mon is cleared, similar to how
  it's done in mon_fault() and finish_hunting() (based on monc->hunting)
- call cancel_delayed_work_sync() after the session is closed

Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/66857
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-07-18 13:21:22 +02:00
..
crush libceph: use swap() macro instead of taking tmp variable 2022-05-25 20:45:13 +02:00
armor.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
auth_none.c libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_none.h libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_x_protocol.h libceph: fix some spelling mistakes 2021-06-28 23:49:25 +02:00
auth_x.c libceph: set global_id as soon as we get an auth ticket 2021-06-24 21:03:17 +02:00
auth_x.h ceph: fix whitespace 2018-08-02 21:33:21 +02:00
auth.c libceph: remove unnecessary ret variable in ceph_auth_init() 2021-06-28 23:49:25 +02:00
buffer.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
ceph_common.c libceph: optionally use bounce buffer on recv path in crc mode 2022-02-02 18:50:36 +01:00
ceph_hash.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
ceph_strings.c libceph: introduce connection modes and ms_mode option 2020-12-14 23:21:50 +01:00
cls_lock_client.c libceph: fix doc warnings in cls_lock_client.c 2021-06-28 23:49:25 +02:00
crypto.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
crypto.h libceph, ceph: incorporate nautilus cephx changes 2020-12-14 23:21:50 +01:00
debugfs.c libceph: dump class and method names on method calls 2020-08-03 11:03:01 +02:00
decode.c libceph: allow addrvecs with a single NONE/blank address 2021-05-04 16:06:15 +02:00
Kconfig libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
Makefile libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
messenger_v1.c libceph: just wait for more data to be available on the socket 2024-02-16 19:10:53 +01:00
messenger_v2.c libceph: just wait for more data to be available on the socket 2024-02-16 19:10:53 +01:00
messenger.c libceph: use kernel_connect() 2023-10-09 13:35:24 +02:00
mon_client.c libceph: fix race between delayed_work() and ceph_monc_stop() 2024-07-18 13:21:22 +02:00
msgpool.c libceph: preallocate message data items 2018-10-22 10:28:22 +02:00
osd_client.c libceph: fail sparse-read if the data length doesn't match 2024-03-01 13:34:56 +01:00
osdmap.c libceph: print fsid and epoch with osd id 2022-08-03 00:54:12 +02:00
pagelist.c libceph: fix ceph_pagelist_reserve() comment typo 2022-08-03 00:54:13 +02:00
pagevec.c libceph: remove ceph_get_direct_page_vector() 2019-07-08 14:01:40 +02:00
snapshot.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 268 2019-06-05 17:30:29 +02:00
string_table.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
striper.c rbd: support for object-map and fast-diff 2019-07-08 14:01:45 +02:00