linux/net/ceph
Ilya Dryomov 20cf67dcb7 libceph: fix race between delayed_work() and ceph_monc_stop()
commit 69c7b2fe4c upstream.

The way the delayed work is handled in ceph_monc_stop() is prone to
races with mon_fault() and possibly also finish_hunting().  Both of
these can requeue the delayed work which wouldn't be canceled by any of
the following code in case that happens after cancel_delayed_work_sync()
runs -- __close_session() doesn't mess with the delayed work in order
to avoid interfering with the hunting interval logic.  This part was
missed in commit b5d91704f5 ("libceph: behave in mon_fault() if
cur_mon < 0") and use-after-free can still ensue on monc and objects
that hang off of it, with monc->auth and monc->monmap being
particularly susceptible to quickly being reused.

To fix this:

- clear monc->cur_mon and monc->hunting as part of closing the session
  in ceph_monc_stop()
- bail from delayed_work() if monc->cur_mon is cleared, similar to how
  it's done in mon_fault() and finish_hunting() (based on monc->hunting)
- call cancel_delayed_work_sync() after the session is closed

Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/66857
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-07-18 13:07:42 +02:00
..
crush treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
armor.c
auth_none.c libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_none.h libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_x_protocol.h libceph: fix some spelling mistakes 2021-06-28 23:49:25 +02:00
auth_x.c libceph: set global_id as soon as we get an auth ticket 2021-06-24 21:03:17 +02:00
auth_x.h
auth.c libceph: remove unnecessary ret variable in ceph_auth_init() 2021-06-28 23:49:25 +02:00
buffer.c
ceph_common.c libceph: remove osdtimeout option entirely 2021-02-16 12:09:52 +01:00
ceph_hash.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
ceph_strings.c libceph: introduce connection modes and ms_mode option 2020-12-14 23:21:50 +01:00
cls_lock_client.c libceph: fix doc warnings in cls_lock_client.c 2021-06-28 23:49:25 +02:00
crypto.c libceph: zero out session key and connection secret 2021-01-04 17:31:32 +01:00
crypto.h libceph, ceph: incorporate nautilus cephx changes 2020-12-14 23:21:50 +01:00
debugfs.c libceph: dump class and method names on method calls 2020-08-03 11:03:01 +02:00
decode.c libceph: allow addrvecs with a single NONE/blank address 2021-05-04 16:06:15 +02:00
Kconfig libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
Makefile libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
messenger_v1.c libceph: fix "Boolean result is used in bitwise operation" warning 2021-01-21 16:49:59 +01:00
messenger_v2.c libceph: harden msgr2.1 frame segment length checks 2023-07-23 13:47:53 +02:00
messenger.c libceph: use kernel_connect() 2023-10-19 23:05:36 +02:00
mon_client.c libceph: fix race between delayed_work() and ceph_monc_stop() 2024-07-18 13:07:42 +02:00
msgpool.c
osd_client.c libceph: fix potential hang in ceph_osdc_notify() 2023-08-11 15:13:55 +02:00
osdmap.c libceph: fix some spelling mistakes 2021-06-28 23:49:25 +02:00
pagelist.c
pagevec.c libceph: remove ceph_get_direct_page_vector() 2019-07-08 14:01:40 +02:00
snapshot.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 268 2019-06-05 17:30:29 +02:00
string_table.c
striper.c rbd: support for object-map and fast-diff 2019-07-08 14:01:45 +02:00