client: fix some potential locking problems in InodeRef handling

As Zheng points out, declaring an InodeRef before you take the mutex
means that its destructor gets called after the mutex has already been
released. Handling the refcount however, requires that you hold the
mutex so this could cause refcount leaks if two threads do a
load/decrement/store at the same time. Reverse the order.

Adding a fixes line here for the currently reported bug, but it's
not yet clear whether this will fix it.

Fixes: http://tracker.ceph.com/issues/17982
Signed-off-by: Jeff Layton <jlayton@redhat.com>

diff --git a/src/client/Client.cc b/src/client/Client.cc
index bc246f7adf6dfb7cf299fe55fa485120d92b0087..87e0d2646805b4be5b6cf68c6bc15b297852e869 100644 (file)
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -11927,8 +11927,8 @@ int Client::ll_create(Inode *parent, const char *name, mode_t mode,
                      int flags, struct stat *attr, Inode **outp, Fh **fhp,
                      const UserPerm& perms)
 {
-  InodeRef in;
   Mutex::Locker lock(client_lock);
+  InodeRef in;
 
   int r = _ll_create(parent, name, mode, flags, &in, CEPH_STAT_CAP_INODE_ALL,
                      fhp, perms);
@@ -11954,8 +11954,8 @@ int Client::ll_createx(Inode *parent, const char *name, mode_t mode,
                        const UserPerm& perms)
 {
   unsigned caps = statx_to_mask(lflags, want);
-  InodeRef in;
   Mutex::Locker lock(client_lock);
+  InodeRef in;
 
   int r = _ll_create(parent, name, mode, oflags, &in, caps, fhp, perms);
   if (r >= 0) {