client: stop the remount_finisher thread in the Client::unmount()

The ceph_fuse will unmount the client and then finalize the cfuse
and at the same will free the mountpoint memory. And at last will
try to stop the remount_finisher thread. But the remount_finisher
thread will use the freed mountpoint to do the remount, which will
case unexpected remount failures.

Just stop the remount_finisher thread in the Client::unmount().

Fixes: https://tracker.ceph.com/issues/56249
Signed-off-by: Xiubo Li <xiubli@redhat.com>
(cherry picked from commit 90f9713607e2a752ea91c9941a46d7757a8bb605)

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 5572446f20b1ae6136762c56b1a36125e8549754..75a106d0f4a860fd4684792a5901b68327beb934 100644 (file)
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -6611,6 +6611,17 @@ void Client::_unmount(bool abort)
 
   mref_writer.update_state(CLIENT_UNMOUNTED);
 
+  /*
+   * Stop the remount_queue before clearing the mountpoint memory
+   * to avoid possible use-after-free bug.
+   */
+  if (remount_cb) {
+    ldout(cct, 10) << "unmount stopping remount finisher" << dendl;
+    remount_finisher.wait_for_empty();
+    remount_finisher.stop();
+    remount_cb = nullptr;
+  }
+
   ldout(cct, 2) << "unmounted." << dendl;
 }