ceph: fix potential use-after-free bug when trimming caps
When trimming the caps and just after the 'session->s_cap_lock' is released in ceph_iterate_session_caps() the cap maybe removed by another thread, and when using the stale cap memory in the callbacks it will trigger use-after-free crash. We need to check the existence of the cap just after the 'ci->i_ceph_lock' being acquired. And do nothing if it's already removed. Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/43272 Signed-off-by:Xiubo Li <xiubli@redhat.com> Reviewed-by:
Luís Henriques <lhenriques@suse.de> Signed-off-by:
Ilya Dryomov <idryomov@gmail.com>
Showing
- fs/ceph/caps.c 1 addition, 1 deletionfs/ceph/caps.c
- fs/ceph/debugfs.c 12 additions, 6 deletionsfs/ceph/debugfs.c
- fs/ceph/mds_client.c 46 additions, 26 deletionsfs/ceph/mds_client.c
- fs/ceph/mds_client.h 1 addition, 2 deletionsfs/ceph/mds_client.h
- fs/ceph/super.h 2 additions, 0 deletionsfs/ceph/super.h
Please register or sign in to comment