From c807f27c391d336a7223fcfdd3daad9bb374a3dc Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Mon, 5 Aug 2013 12:52:44 -0700 Subject: [PATCH] mds: fix locking, use-after-free/race in handle_accept We need to hold mds_lock here. Normally the con also holds a reference, but an ill-timed connection reset could drop it. Fixes: #5883 Backport: dumpling, cuttlefish Signed-off-by: Sage Weil (cherry picked from commit a0929955cb84fb8cfdeb551d6863e4955b8e2a71) --- src/mds/MDS.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mds/MDS.cc b/src/mds/MDS.cc index 935fb0c417ed5..c2a4e9f05b849 100644 --- a/src/mds/MDS.cc +++ b/src/mds/MDS.cc @@ -2162,10 +2162,10 @@ bool MDS::ms_verify_authorizer(Connection *con, int peer_type, void MDS::ms_handle_accept(Connection *con) { + Mutex::Locker l(mds_lock); Session *s = static_cast(con->get_priv()); dout(10) << "ms_handle_accept " << con->get_peer_addr() << " con " << con << " session " << s << dendl; if (s) { - s->put(); if (s->connection != con) { dout(10) << " session connection " << s->connection << " -> " << con << dendl; s->connection = con; @@ -2176,5 +2176,6 @@ void MDS::ms_handle_accept(Connection *con) s->preopen_out_queue.pop_front(); } } + s->put(); } } -- 2.39.5