aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorSage Weil <sage@newdream.net>2011-11-06 01:06:31 -0400
committerSage Weil <sage@newdream.net>2011-11-06 01:06:31 -0400
commit15a2015fbc692e1c97d7ce12d96e077f5ae7ea6d (patch)
treef902cc2b7cab475c8b220147bb786dc3a772888e /fs
parent0c6d4b4e22a513f8563a2e00c5ab08e9f8796272 (diff)
ceph: fix iput race when queueing inode work
If we queue a work item that calls iput(), make sure we ihold() before attempting to queue work. Otherwise our queued work might miraculously run before we notice the queue_work() succeeded and call ihold(), allowing the inode to be destroyed. That is, instead of if (queue_work(...)) ihold(); we need to do ihold(); if (!queue_work(...)) iput(); Reported-by: Amon Ott <a.ott@m-privacy.de> Signed-off-by: Sage Weil <sage@newdream.net>
Diffstat (limited to 'fs')
-rw-r--r--fs/ceph/inode.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index e392bfce84a3..116f36502f17 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1328,12 +1328,13 @@ int ceph_inode_set_size(struct inode *inode, loff_t size)
1328 */ 1328 */
1329void ceph_queue_writeback(struct inode *inode) 1329void ceph_queue_writeback(struct inode *inode)
1330{ 1330{
1331 ihold(inode);
1331 if (queue_work(ceph_inode_to_client(inode)->wb_wq, 1332 if (queue_work(ceph_inode_to_client(inode)->wb_wq,
1332 &ceph_inode(inode)->i_wb_work)) { 1333 &ceph_inode(inode)->i_wb_work)) {
1333 dout("ceph_queue_writeback %p\n", inode); 1334 dout("ceph_queue_writeback %p\n", inode);
1334 ihold(inode);
1335 } else { 1335 } else {
1336 dout("ceph_queue_writeback %p failed\n", inode); 1336 dout("ceph_queue_writeback %p failed\n", inode);
1337 iput(inode);
1337 } 1338 }
1338} 1339}
1339 1340
@@ -1353,12 +1354,13 @@ static void ceph_writeback_work(struct work_struct *work)
1353 */ 1354 */
1354void ceph_queue_invalidate(struct inode *inode) 1355void ceph_queue_invalidate(struct inode *inode)
1355{ 1356{
1357 ihold(inode);
1356 if (queue_work(ceph_inode_to_client(inode)->pg_inv_wq, 1358 if (queue_work(ceph_inode_to_client(inode)->pg_inv_wq,
1357 &ceph_inode(inode)->i_pg_inv_work)) { 1359 &ceph_inode(inode)->i_pg_inv_work)) {
1358 dout("ceph_queue_invalidate %p\n", inode); 1360 dout("ceph_queue_invalidate %p\n", inode);
1359 ihold(inode);
1360 } else { 1361 } else {
1361 dout("ceph_queue_invalidate %p failed\n", inode); 1362 dout("ceph_queue_invalidate %p failed\n", inode);
1363 iput(inode);
1362 } 1364 }
1363} 1365}
1364 1366
@@ -1434,13 +1436,14 @@ void ceph_queue_vmtruncate(struct inode *inode)
1434{ 1436{
1435 struct ceph_inode_info *ci = ceph_inode(inode); 1437 struct ceph_inode_info *ci = ceph_inode(inode);
1436 1438
1439 ihold(inode);
1437 if (queue_work(ceph_sb_to_client(inode->i_sb)->trunc_wq, 1440 if (queue_work(ceph_sb_to_client(inode->i_sb)->trunc_wq,
1438 &ci->i_vmtruncate_work)) { 1441 &ci->i_vmtruncate_work)) {
1439 dout("ceph_queue_vmtruncate %p\n", inode); 1442 dout("ceph_queue_vmtruncate %p\n", inode);
1440 ihold(inode);
1441 } else { 1443 } else {
1442 dout("ceph_queue_vmtruncate %p failed, pending=%d\n", 1444 dout("ceph_queue_vmtruncate %p failed, pending=%d\n",
1443 inode, ci->i_truncate_pending); 1445 inode, ci->i_truncate_pending);
1446 iput(inode);
1444 } 1447 }
1445} 1448}
1446 1449