linux-stable/net/ceph
Ilya Dryomov ce2e1de11e libceph: fix potential use-after-free on linger ping and resends
commit 75dbb685f4 upstream.

request_reinit() is not only ugly as the comment rightfully suggests,
but also unsafe.  Even though it is called with osdc->lock held for
write in all cases, resetting the OSD request refcount can still race
with handle_reply() and result in use-after-free.  Taking linger ping
as an example:

    handle_timeout thread                     handle_reply thread

                                              down_read(&osdc->lock)
                                              req = lookup_request(...)
                                              ...
                                              finish_request(req)  # unregisters
                                              up_read(&osdc->lock)
                                              __complete_request(req)
                                                linger_ping_cb(req)

      # req->r_kref == 2 because handle_reply still holds its ref

    down_write(&osdc->lock)
    send_linger_ping(lreq)
      req = lreq->ping_req  # same req
      # cancel_linger_request is NOT
      # called - handle_reply already
      # unregistered
      request_reinit(req)
        WARN_ON(req->r_kref != 1)  # fires
        request_init(req)
          kref_init(req->r_kref)

                   # req->r_kref == 1 after kref_init

                                              ceph_osdc_put_request(req)
                                                kref_put(req->r_kref)

            # req->r_kref == 0 after kref_put, req is freed

        <further req initialization/use> !!!

This happens because send_linger_ping() always (re)uses the same OSD
request for watch ping requests, relying on cancel_linger_request() to
unregister it from the OSD client and rip its messages out from the
messenger.  send_linger() does the same for watch/notify registration
and watch reconnect requests.  Unfortunately cancel_request() doesn't
guarantee that after it returns the OSD client would be completely done
with the OSD request -- a ref could still be held and the callback (if
specified) could still be invoked too.

The original motivation for request_reinit() was inability to deal with
allocation failures in send_linger() and send_linger_ping().  Switching
to using osdc->req_mempool (currently only used by CephFS) respects that
and allows us to get rid of request_reinit().

Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Acked-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-05-25 09:59:04 +02:00
..
crush treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
armor.c
auth.c libceph: remove unnecessary ret variable in ceph_auth_init() 2021-06-28 23:49:25 +02:00
auth_none.c libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_none.h libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_x.c libceph: set global_id as soon as we get an auth ticket 2021-06-24 21:03:17 +02:00
auth_x.h
auth_x_protocol.h libceph: fix some spelling mistakes 2021-06-28 23:49:25 +02:00
buffer.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
ceph_common.c libceph: optionally use bounce buffer on recv path in crc mode 2022-02-02 18:50:36 +01:00
ceph_hash.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
ceph_strings.c libceph: introduce connection modes and ms_mode option 2020-12-14 23:21:50 +01:00
cls_lock_client.c libceph: fix doc warnings in cls_lock_client.c 2021-06-28 23:49:25 +02:00
crypto.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
crypto.h libceph, ceph: incorporate nautilus cephx changes 2020-12-14 23:21:50 +01:00
debugfs.c
decode.c libceph: allow addrvecs with a single NONE/blank address 2021-05-04 16:06:15 +02:00
Kconfig libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
Makefile libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
messenger.c libceph: optionally use bounce buffer on recv path in crc mode 2022-02-02 18:50:36 +01:00
messenger_v1.c libceph: optionally use bounce buffer on recv path in crc mode 2022-02-02 18:50:36 +01:00
messenger_v2.c libceph: optionally use bounce buffer on recv path in crc mode 2022-02-02 18:50:36 +01:00
mon_client.c libceph: drop ->monmap and err initialization 2021-11-08 03:29:51 +01:00
msgpool.c
osd_client.c libceph: fix potential use-after-free on linger ping and resends 2022-05-25 09:59:04 +02:00
osdmap.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
pagelist.c
pagevec.c
snapshot.c
string_table.c
striper.c