From 6001567c14eb8e93f8bceb35fc02158a3e1f20f8 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Tue, 22 May 2018 16:26:51 +0200 Subject: [PATCH] libceph: avoid a use-after-free during map check Sending map check after complete_request() was called is not only useless, but can lead to a use-after-free as req->r_kref decrement in __complete_request() races with map check code. Signed-off-by: Ilya Dryomov Acked-by: Jeff Layton Reviewed-by: "Yan, Zheng" --- net/ceph/osd_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c index 34b5334548c3..294320400c72 100644 --- a/net/ceph/osd_client.c +++ b/net/ceph/osd_client.c @@ -2266,7 +2266,7 @@ static void __submit_request(struct ceph_osd_request *req, bool wrlocked) complete_request(req, err); mutex_unlock(&osd->lock); - if (ct_res == CALC_TARGET_POOL_DNE) + if (!err && ct_res == CALC_TARGET_POOL_DNE) send_map_check(req); if (promoted) -- GitLab