libceph: fix null dereference when unregistering linger requests

We should only clear r_osd if we are neither registered as a linger or a
regular request.  We may unregister as a linger while still registered as
a regular request (e.g., in reset_osd).  Incorrectly clearing r_osd there
leads to a null pointer dereference in __send_request.

Also simplify the parallel check in __unregister_request() where we just
removed r_osd_item and know it's empty.

Signed-off-by: Sage Weil <sage@newdream.net>

diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 03740e8fc9d1ff24c37971053bcf09c2e18df8cc..3b91d651fe08f995c193eaa6357d1d993f8c89eb 100644 (file)
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -837,8 +837,7 @@ static void __unregister_request(struct ceph_osd_client *osdc,
                        dout("moving osd to %p lru\n", req->r_osd);
                        __move_osd_to_lru(osdc, req->r_osd);
                }
-               if (list_empty(&req->r_osd_item) &&
-                   list_empty(&req->r_linger_item))
+               if (list_empty(&req->r_linger_item))
                        req->r_osd = NULL;
        }
 
@@ -883,7 +882,8 @@ static void __unregister_linger_request(struct ceph_osd_client *osdc,
                        dout("moving osd to %p lru\n", req->r_osd);
                        __move_osd_to_lru(osdc, req->r_osd);
                }
-               req->r_osd = NULL;
+               if (list_empty(&req->r_osd_item))
+                       req->r_osd = NULL;
        }
 }