* FAILED: patch "[PATCH] rbd: call rbd_dev_unprobe() after unwatching and flushing" failed to apply to 5.4-stable tree
@ 2020-04-21 17:07 gregkh
2020-04-21 23:56 ` Sasha Levin
0 siblings, 1 reply; 2+ messages in thread
From: gregkh @ 2020-04-21 17:07 UTC (permalink / raw
To: idryomov, dillaman; +Cc: stable
The patch below does not apply to the 5.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 952c48b0ed18919bff7528501e9a3fff8a24f8cd Mon Sep 17 00:00:00 2001
From: Ilya Dryomov <idryomov@gmail.com>
Date: Mon, 16 Mar 2020 15:52:54 +0100
Subject: [PATCH] rbd: call rbd_dev_unprobe() after unwatching and flushing
notifies
rbd_dev_unprobe() is supposed to undo most of rbd_dev_image_probe(),
including rbd_dev_header_info(), which means that rbd_dev_header_info()
isn't supposed to be called after rbd_dev_unprobe().
However, rbd_dev_image_release() calls rbd_dev_unprobe() before
rbd_unregister_watch(). This is racy because a header update notify
can sneak in:
"rbd unmap" thread ceph-watch-notify worker
rbd_dev_image_release()
rbd_dev_unprobe()
free and zero out header
rbd_watch_cb()
rbd_dev_refresh()
rbd_dev_header_info()
read in header
The same goes for "rbd map" because rbd_dev_image_probe() calls
rbd_dev_unprobe() on errors. In both cases this results in a memory
leak.
Fixes: fd22aef8b47c ("rbd: move rbd_unregister_watch() call into rbd_dev_image_release()")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index ff2377e6d12c..7aec8bc5df6e 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -6898,9 +6898,10 @@ static void rbd_print_dne(struct rbd_device *rbd_dev, bool is_snap)
static void rbd_dev_image_release(struct rbd_device *rbd_dev)
{
- rbd_dev_unprobe(rbd_dev);
if (rbd_dev->opts)
rbd_unregister_watch(rbd_dev);
+
+ rbd_dev_unprobe(rbd_dev);
rbd_dev->image_format = 0;
kfree(rbd_dev->spec->image_id);
rbd_dev->spec->image_id = NULL;
@@ -6950,7 +6951,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
if (ret) {
if (ret == -ENOENT && !need_watch)
rbd_print_dne(rbd_dev, false);
- goto err_out_watch;
+ goto err_out_probe;
}
/*
@@ -6995,12 +6996,11 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
return 0;
err_out_probe:
- rbd_dev_unprobe(rbd_dev);
-err_out_watch:
if (!depth)
up_write(&rbd_dev->header_rwsem);
if (need_watch)
rbd_unregister_watch(rbd_dev);
+ rbd_dev_unprobe(rbd_dev);
err_out_format:
rbd_dev->image_format = 0;
kfree(rbd_dev->spec->image_id);
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: FAILED: patch "[PATCH] rbd: call rbd_dev_unprobe() after unwatching and flushing" failed to apply to 5.4-stable tree
2020-04-21 17:07 FAILED: patch "[PATCH] rbd: call rbd_dev_unprobe() after unwatching and flushing" failed to apply to 5.4-stable tree gregkh
@ 2020-04-21 23:56 ` Sasha Levin
0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2020-04-21 23:56 UTC (permalink / raw
To: gregkh; +Cc: idryomov, dillaman, stable
On Tue, Apr 21, 2020 at 07:07:22PM +0200, gregkh@linuxfoundation.org wrote:
>
>The patch below does not apply to the 5.4-stable tree.
>If someone wants it applied there, or to any other stable or longterm
>tree, then please email the backport, including the original git commit
>id to <stable@vger.kernel.org>.
>
>thanks,
>
>greg k-h
>
>------------------ original commit in Linus's tree ------------------
>
>From 952c48b0ed18919bff7528501e9a3fff8a24f8cd Mon Sep 17 00:00:00 2001
>From: Ilya Dryomov <idryomov@gmail.com>
>Date: Mon, 16 Mar 2020 15:52:54 +0100
>Subject: [PATCH] rbd: call rbd_dev_unprobe() after unwatching and flushing
> notifies
>
>rbd_dev_unprobe() is supposed to undo most of rbd_dev_image_probe(),
>including rbd_dev_header_info(), which means that rbd_dev_header_info()
>isn't supposed to be called after rbd_dev_unprobe().
>
>However, rbd_dev_image_release() calls rbd_dev_unprobe() before
>rbd_unregister_watch(). This is racy because a header update notify
>can sneak in:
>
> "rbd unmap" thread ceph-watch-notify worker
>
> rbd_dev_image_release()
> rbd_dev_unprobe()
> free and zero out header
> rbd_watch_cb()
> rbd_dev_refresh()
> rbd_dev_header_info()
> read in header
>
>The same goes for "rbd map" because rbd_dev_image_probe() calls
>rbd_dev_unprobe() on errors. In both cases this results in a memory
>leak.
>
>Fixes: fd22aef8b47c ("rbd: move rbd_unregister_watch() call into rbd_dev_image_release()")
>Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
>Reviewed-by: Jason Dillaman <dillaman@redhat.com>
Another conflict because we miss b9ef2b8858a0 ("rbd: don't establish
watch for read-only mappings") on 5.4 and older. Fixed and queued up for
5.4-4.14.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-04-21 23:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-21 17:07 FAILED: patch "[PATCH] rbd: call rbd_dev_unprobe() after unwatching and flushing" failed to apply to 5.4-stable tree gregkh
2020-04-21 23:56 ` Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.