From: Sage Weil <sage@inktank.com>
Date: Mon, 5 Aug 2013 19:52:44 +0000 (-0700)
Subject: mds: fix locking, use-after-free/race in handle_accept
X-Git-Tag: v0.61.9~28
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=c807f27c391d336a7223fcfdd3daad9bb374a3dc;p=ceph.git

mds: fix locking, use-after-free/race in handle_accept

We need to hold mds_lock here.

Normally the con also holds a reference, but an ill-timed connection reset
could drop it.

Fixes: #5883
Backport: dumpling, cuttlefish
Signed-off-by: Sage Weil <sage@inktank.com>
(cherry picked from commit a0929955cb84fb8cfdeb551d6863e4955b8e2a71)
---

diff --git a/src/mds/MDS.cc b/src/mds/MDS.cc
index 935fb0c417ed..c2a4e9f05b84 100644
--- a/src/mds/MDS.cc
+++ b/src/mds/MDS.cc
@@ -2162,10 +2162,10 @@ bool MDS::ms_verify_authorizer(Connection *con, int peer_type,
 
 void MDS::ms_handle_accept(Connection *con)
 {
+  Mutex::Locker l(mds_lock);
   Session *s = static_cast<Session *>(con->get_priv());
   dout(10) << "ms_handle_accept " << con->get_peer_addr() << " con " << con << " session " << s << dendl;
   if (s) {
-    s->put();
     if (s->connection != con) {
       dout(10) << " session connection " << s->connection << " -> " << con << dendl;
       s->connection = con;
@@ -2176,5 +2176,6 @@ void MDS::ms_handle_accept(Connection *con)
 	s->preopen_out_queue.pop_front();
       }
     }
+    s->put();
   }
 }