1. 05 Feb, 2012 9 commits
  2. 03 Feb, 2012 23 commits
  3. 02 Feb, 2012 8 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · 6c073a7e
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        rbd: fix safety of rbd_put_client()
        rbd: fix a memory leak in rbd_get_client()
        ceph: create a new session lock to avoid lock inversion
        ceph: fix length validation in parse_reply_info()
        ceph: initialize client debugfs outside of monc->mutex
        ceph: change "ceph.layout" xattr to be "ceph.file.layout"
      6c073a7e
    • Josh Triplett's avatar
    • Alex Elder's avatar
      rbd: fix safety of rbd_put_client() · d23a4b3f
      Alex Elder authored
      The rbd_client structure uses a kref to arrange for cleaning up and
      freeing an instance when its last reference is dropped.  The cleanup
      routine is rbd_client_release(), and one of the things it does is
      delete the rbd_client from rbd_client_list.  It acquires node_lock
      to do so, but the way it is done is still not safe.
      
      The problem is that when attempting to reuse an existing rbd_client,
      the structure found might already be in the process of getting
      destroyed and cleaned up.
      
      Here's the scenario, with "CLIENT" representing an existing
      rbd_client that's involved in the race:
      
       Thread on CPU A                | Thread on CPU B
       ---------------                | ---------------
       rbd_put_client(CLIENT)         | rbd_get_client()
         kref_put()                   |   (acquires node_lock)
           kref->refcount becomes 0   |   __rbd_client_find() returns CLIENT
           calls rbd_client_release() |   kref_get(&CLIENT->kref);
                                      |   (releases node_lock)
             (acquires node_lock)     |
             deletes CLIENT from list | ...and starts using CLIENT...
             (releases node_lock)     |
             and frees CLIENT         | <-- but CLIENT gets freed here
      
      Fix this by having rbd_put_client() acquire node_lock.  The result
      could still be improved, but at least it avoids this problem.
      Signed-off-by: default avatarAlex Elder <elder@dreamhost.com>
      Signed-off-by: default avatarSage Weil <sage@newdream.net>
      d23a4b3f
    • Christopher Yeoh's avatar
      Fix race in process_vm_rw_core · 8cdb878d
      Christopher Yeoh authored
      This fixes the race in process_vm_core found by Oleg (see
      
        http://article.gmane.org/gmane.linux.kernel/1235667/
      
      for details).
      
      This has been updated since I last sent it as the creation of the new
      mm_access() function did almost exactly the same thing as parts of the
      previous version of this patch did.
      
      In order to use mm_access() even when /proc isn't enabled, we move it to
      kernel/fork.c where other related process mm access functions already
      are.
      Signed-off-by: default avatarChris Yeoh <yeohc@au1.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8cdb878d
    • Alex Elder's avatar
      rbd: fix a memory leak in rbd_get_client() · 97bb59a0
      Alex Elder authored
      If an existing rbd client is found to be suitable for use in
      rbd_get_client(), the rbd_options structure is not being
      freed as it should.  Fix that.
      Signed-off-by: default avatarAlex Elder <elder@dreamhost.com>
      Signed-off-by: default avatarSage Weil <sage@newdream.net>
      97bb59a0
    • Alex Elder's avatar
      ceph: create a new session lock to avoid lock inversion · d8fb02ab
      Alex Elder authored
      Lockdep was reporting a possible circular lock dependency in
      dentry_lease_is_valid().  That function needs to sample the
      session's s_cap_gen and and s_cap_ttl fields coherently, but needs
      to do so while holding a dentry lock.  The s_cap_lock field was
      being used to protect the two fields, but that can't be taken while
      holding a lock on a dentry within the session.
      
      In most cases, the s_cap_gen and s_cap_ttl fields only get operated
      on separately.  But in three cases they need to be updated together.
      Implement a new lock to protect the spots updating both fields
      atomically is required.
      Signed-off-by: default avatarAlex Elder <elder@dreamhost.com>
      Reviewed-by: default avatarSage Weil <sage@newdream.net>
      d8fb02ab
    • Xi Wang's avatar
      ceph: fix length validation in parse_reply_info() · 32852a81
      Xi Wang authored
      "len" is read from network and thus needs validation.  Otherwise, given
      a bogus "len" value, p+len could be an out-of-bounds pointer, which is
      used in further parsing.
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Signed-off-by: default avatarSage Weil <sage@newdream.net>
      32852a81
    • Sage Weil's avatar
      ceph: initialize client debugfs outside of monc->mutex · ab434b60
      Sage Weil authored
      Initializing debufs under monc->mutex introduces a lock dependency for
      sb->s_type->i_mutex_key, which (combined with several other dependencies)
      leads to an annoying lockdep warning.  There's no particular reason to do
      the debugfs setup under this lock, so move it out.
      
      It used to be the case that our first monmap could come from the OSD; that
      is no longer the case with recent servers, so we will reliably set up the
      client entry during the initial authentication.
      
      We don't have to worry about racing with debugfs teardown by
      ceph_debugfs_client_cleanup() because ceph_destroy_client() calls
      ceph_msgr_flush() first, which will wait for the message dispatch work
      to complete (and the debugfs init to complete).
      
      Fixes: #1940
      Signed-off-by: default avatarSage Weil <sage@newdream.net>
      ab434b60