diff options
author | Sage Weil <sage@newdream.net> | 2011-11-06 01:06:31 -0400 |
---|---|---|
committer | Sage Weil <sage@newdream.net> | 2011-11-06 01:06:31 -0400 |
commit | 15a2015fbc692e1c97d7ce12d96e077f5ae7ea6d (patch) | |
tree | f902cc2b7cab475c8b220147bb786dc3a772888e /fs | |
parent | 0c6d4b4e22a513f8563a2e00c5ab08e9f8796272 (diff) |
ceph: fix iput race when queueing inode work
If we queue a work item that calls iput(), make sure we ihold() before
attempting to queue work. Otherwise our queued work might miraculously run
before we notice the queue_work() succeeded and call ihold(), allowing the
inode to be destroyed.
That is, instead of
if (queue_work(...))
ihold();
we need to do
ihold();
if (!queue_work(...))
iput();
Reported-by: Amon Ott <a.ott@m-privacy.de>
Signed-off-by: Sage Weil <sage@newdream.net>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/ceph/inode.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index e392bfce84a3..116f36502f17 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c | |||
@@ -1328,12 +1328,13 @@ int ceph_inode_set_size(struct inode *inode, loff_t size) | |||
1328 | */ | 1328 | */ |
1329 | void ceph_queue_writeback(struct inode *inode) | 1329 | void ceph_queue_writeback(struct inode *inode) |
1330 | { | 1330 | { |
1331 | ihold(inode); | ||
1331 | if (queue_work(ceph_inode_to_client(inode)->wb_wq, | 1332 | if (queue_work(ceph_inode_to_client(inode)->wb_wq, |
1332 | &ceph_inode(inode)->i_wb_work)) { | 1333 | &ceph_inode(inode)->i_wb_work)) { |
1333 | dout("ceph_queue_writeback %p\n", inode); | 1334 | dout("ceph_queue_writeback %p\n", inode); |
1334 | ihold(inode); | ||
1335 | } else { | 1335 | } else { |
1336 | dout("ceph_queue_writeback %p failed\n", inode); | 1336 | dout("ceph_queue_writeback %p failed\n", inode); |
1337 | iput(inode); | ||
1337 | } | 1338 | } |
1338 | } | 1339 | } |
1339 | 1340 | ||
@@ -1353,12 +1354,13 @@ static void ceph_writeback_work(struct work_struct *work) | |||
1353 | */ | 1354 | */ |
1354 | void ceph_queue_invalidate(struct inode *inode) | 1355 | void ceph_queue_invalidate(struct inode *inode) |
1355 | { | 1356 | { |
1357 | ihold(inode); | ||
1356 | if (queue_work(ceph_inode_to_client(inode)->pg_inv_wq, | 1358 | if (queue_work(ceph_inode_to_client(inode)->pg_inv_wq, |
1357 | &ceph_inode(inode)->i_pg_inv_work)) { | 1359 | &ceph_inode(inode)->i_pg_inv_work)) { |
1358 | dout("ceph_queue_invalidate %p\n", inode); | 1360 | dout("ceph_queue_invalidate %p\n", inode); |
1359 | ihold(inode); | ||
1360 | } else { | 1361 | } else { |
1361 | dout("ceph_queue_invalidate %p failed\n", inode); | 1362 | dout("ceph_queue_invalidate %p failed\n", inode); |
1363 | iput(inode); | ||
1362 | } | 1364 | } |
1363 | } | 1365 | } |
1364 | 1366 | ||
@@ -1434,13 +1436,14 @@ void ceph_queue_vmtruncate(struct inode *inode) | |||
1434 | { | 1436 | { |
1435 | struct ceph_inode_info *ci = ceph_inode(inode); | 1437 | struct ceph_inode_info *ci = ceph_inode(inode); |
1436 | 1438 | ||
1439 | ihold(inode); | ||
1437 | if (queue_work(ceph_sb_to_client(inode->i_sb)->trunc_wq, | 1440 | if (queue_work(ceph_sb_to_client(inode->i_sb)->trunc_wq, |
1438 | &ci->i_vmtruncate_work)) { | 1441 | &ci->i_vmtruncate_work)) { |
1439 | dout("ceph_queue_vmtruncate %p\n", inode); | 1442 | dout("ceph_queue_vmtruncate %p\n", inode); |
1440 | ihold(inode); | ||
1441 | } else { | 1443 | } else { |
1442 | dout("ceph_queue_vmtruncate %p failed, pending=%d\n", | 1444 | dout("ceph_queue_vmtruncate %p failed, pending=%d\n", |
1443 | inode, ci->i_truncate_pending); | 1445 | inode, ci->i_truncate_pending); |
1446 | iput(inode); | ||
1444 | } | 1447 | } |
1445 | } | 1448 | } |
1446 | 1449 | ||