ceph: fix cap removal races The iterate_session_caps helper traverses the session caps list and tries to grab an inode reference. However, the __ceph_remove_cap was clearing the inode backpointer _before_ removing itself from the session list, causing a null pointer dereference. Clear cap->ci under protection of s_cap_lock to avoid the race, and to tightly couple the list and backpointer state. Use a local flag to indicate whether we are releasing the cap, as cap->session may be modified by a racing thread in iterate_session_caps. Signed-off-by: Sage Weil <sage@newdream.net>

commit: f818a73674c5d197f66b636a46d7d578d7258129 [log] [tgz]
author: Sage Weil <sage@newdream.net> Tue May 11 20:56:31 2010 -0700
committer: Sage Weil <sage@newdream.net> Tue May 11 20:56:31 2010 -0700
tree: 90c485b5ca0a211b84ad8feddfce4f301de3d5c9
parent: 45c6ceb547ad2d98215351974a4686bf8cb13e14 [diff] [blame]
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index eccc0ec..24561a5 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c

@@ -736,9 +736,10 @@
 }
 
 /*
- * Helper to safely iterate over all caps associated with a session.
+ * Helper to safely iterate over all caps associated with a session, with
+ * special care taken to handle a racing __ceph_remove_cap().
  *
- * caller must hold session s_mutex
+ * Caller must hold session s_mutex.
  */
 static int iterate_session_caps(struct ceph_mds_session *session,
 				 int (*cb)(struct inode *, struct ceph_cap *,
commit	f818a73674c5d197f66b636a46d7d578d7258129	[log] [tgz]
author	Sage Weil <sage@newdream.net>	Tue May 11 20:56:31 2010 -0700
committer	Sage Weil <sage@newdream.net>	Tue May 11 20:56:31 2010 -0700
tree	90c485b5ca0a211b84ad8feddfce4f301de3d5c9
parent	45c6ceb547ad2d98215351974a4686bf8cb13e14 [diff] [blame]