client: stop the remount_finisher thread in the Client::unmount()

The ceph_fuse will unmount the client and then finalize the cfuse
and at the same will free the mountpoint memory. And at last will
try to stop the remount_finisher thread. But the remount_finisher
thread will use the freed mountpoint to do the remount, which will
case unexpected remount failures.

Just stop the remount_finisher thread in the Client::unmount().

Fixes: https://tracker.ceph.com/issues/56249
Signed-off-by: Xiubo Li <xiubli@redhat.com>

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 539b7b2d5a16db48684b65fc4c6367212dee251b..e5dfc29356378d5fd3898fb944df0b4f9cff1d01 100644 (file)
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -6664,6 +6664,17 @@ void Client::_unmount(bool abort)
 
   mref_writer.update_state(CLIENT_UNMOUNTED);
 
+  /*
+   * Stop the remount_queue before clearing the mountpoint memory
+   * to avoid possible use-after-free bug.
+   */
+  if (remount_cb) {
+    ldout(cct, 10) << "unmount stopping remount finisher" << dendl;
+    remount_finisher.wait_for_empty();
+    remount_finisher.stop();
+    remount_cb = nullptr;
+  }
+
   ldout(cct, 2) << "unmounted." << dendl;
 }