aboutsummaryrefslogtreecommitdiff
path: root/drivers/gpu/drm/amd/amdgpu/amdgpu_object.h
diff options
context:
space:
mode:
authorIlya Dryomov <[email protected]>2024-07-08 22:37:29 +0200
committerIlya Dryomov <[email protected]>2024-07-10 10:11:55 +0200
commit69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 (patch)
tree3b0acfdf1a2e124873ad38dd432cd0b7eed072c2 /drivers/gpu/drm/amd/amdgpu/amdgpu_object.h
parent256abd8e550ce977b728be79a74e1729438b4948 (diff)
libceph: fix race between delayed_work() and ceph_monc_stop()
The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed Cc: [email protected] Link: https://tracker.ceph.com/issues/66857 Signed-off-by: Ilya Dryomov <[email protected]> Reviewed-by: Xiubo Li <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_object.h')
0 files changed, 0 insertions, 0 deletions