rbd: fix leak of format 2 snapshot context

Message ID	518859F7.8060708@inktank.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <ceph-devel-owner@vger.kernel.org> Message-ID: <518859F7.8060708@inktank.com> Date: Mon, 06 May 2013 20:33:43 -0500 From: Alex Elder <elder@inktank.com> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: ceph-devel@vger.kernel.org Subject: [PATCH] rbd: fix leak of format 2 snapshot context Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: ceph-devel-owner@vger.kernel.org Precedence: bulk

Message ID

518859F7.8060708@inktank.com (mailing list archive)

State

New, archived

Headers

Message-ID: <518859F7.8060708@inktank.com>
Date: Mon, 06 May 2013 20:33:43 -0500
From: Alex Elder <elder@inktank.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: ceph-devel@vger.kernel.org
Subject: [PATCH] rbd: fix leak of format 2 snapshot context
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: ceph-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Alex Elder May 7, 2013, 1:33 a.m. UTC

When rbd_dev_v2_refresh() is called, the rbd device already has a
snapshot context associated with it.  But that never gets freed,
the pointer just gets overwritten.

Fix this by dropping the rbd device's reference to the snapshot
context before overwriting the pointer.

Because ceph_put_snap_context() already handles for a null pointer
we don't need to check for that (for the probe case, where no
context has yet been assigned).

This resolves:
    http://tracker.ceph.com/issues/4912

Signed-off-by: Alex Elder <elder@inktank.com>
---
 drivers/block/rbd.c |    1 +
 1 file changed, 1 insertion(+)

 	dout("  snap context seq = %llu, snap_count = %u\n",

Comments

Josh Durgin May 7, 2013, 2:12 p.m. UTC | #1

Alex Elder <elder@inktank.com> wrote:

>When rbd_dev_v2_refresh() is called, the rbd device already has a
>snapshot context associated with it.  But that never gets freed,
>the pointer just gets overwritten.
>
>Fix this by dropping the rbd device's reference to the snapshot
>context before overwriting the pointer.
>
>Because ceph_put_snap_context() already handles for a null pointer
>we don't need to check for that (for the probe case, where no
>context has yet been assigned).
>
>This resolves:
>    http://tracker.ceph.com/issues/4912
>
>Signed-off-by: Alex Elder <elder@inktank.com>
>---
> drivers/block/rbd.c |    1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
>index c2ca181..4263743 100644
>--- a/drivers/block/rbd.c
>+++ b/drivers/block/rbd.c
>@@ -4004,6 +4004,7 @@ static int rbd_dev_v2_snap_context(struct
>rbd_device *rbd_dev)
> 	for (i = 0; i < snap_count; i++)
> 		snapc->snaps[i] = ceph_decode_64(&p);
>
>+	ceph_put_snap_context(rbd_dev->header.snapc);
> 	rbd_dev->header.snapc = snapc;
>
> 	dout("  snap context seq = %llu, snap_count = %u\n",

Reviewed-by: Josh Durgin <josh.durgin@inktank.com>
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index c2ca181..4263743 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -4004,6 +4004,7 @@  static int rbd_dev_v2_snap_context(struct
rbd_device *rbd_dev)
 	for (i = 0; i < snap_count; i++)
 		snapc->snaps[i] = ceph_decode_64(&p);

+	ceph_put_snap_context(rbd_dev->header.snapc);
 	rbd_dev->header.snapc = snapc;

rbd: fix leak of format 2 snapshot context

Commit Message

Comments

Patch