mds: fix locking, use-after-free/race in handle_accept

We need to hold mds_lock here.

Normally the con also holds a reference, but an ill-timed connection reset
could drop it.

Fixes: #5883
Backport: dumpling, cuttlefish
Signed-off-by: Sage Weil <sage@inktank.com>
(cherry picked from commit a0929955cb84fb8cfdeb551d6863e4955b8e2a71)

diff --git a/src/mds/MDS.cc b/src/mds/MDS.cc
index 935fb0c417ed5b45cbb14da69bc168e6ae96d10b..c2a4e9f05b849378c169cfc88aef134d5f16b4ce 100644 (file)
--- a/src/mds/MDS.cc
+++ b/src/mds/MDS.cc
@@ -2162,10 +2162,10 @@ bool MDS::ms_verify_authorizer(Connection *con, int peer_type,
 
 void MDS::ms_handle_accept(Connection *con)
 {
+  Mutex::Locker l(mds_lock);
   Session *s = static_cast<Session *>(con->get_priv());
   dout(10) << "ms_handle_accept " << con->get_peer_addr() << " con " << con << " session " << s << dendl;
   if (s) {
-    s->put();
     if (s->connection != con) {
       dout(10) << " session connection " << s->connection << " -> " << con << dendl;
       s->connection = con;
@@ -2176,5 +2176,6 @@ void MDS::ms_handle_accept(Connection *con)
        s->preopen_out_queue.pop_front();
       }
     }
+    s->put();
   }
 }