libceph: recheck con state after allocating incoming message

We drop the lock when calling the ->alloc_msg() con op, which means
we need to (a) not clobber con->in_msg without the mutex held, and (b)
we need to verify that we are still in the OPEN state when we retake
it to avoid causing any mayhem.  If the state does change, -EAGAIN
will get us back to con_work() and loop.

Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 13b549b6b1bfae2f54dc0a880bb72e80ee849396..b6655b13155870b0c2769914f7faffe57ec28709 100644 (file)
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2735,9 +2735,16 @@ static int ceph_con_in_msg_alloc(struct ceph_connection *con, int *skip)
        BUG_ON(con->in_msg != NULL);
 
        if (con->ops->alloc_msg) {
+               struct ceph_msg *msg;
+
                mutex_unlock(&con->mutex);
-               con->in_msg = con->ops->alloc_msg(con, hdr, skip);
+               msg = con->ops->alloc_msg(con, hdr, skip);
                mutex_lock(&con->mutex);
+               if (con->state != CON_STATE_OPEN) {
+                       ceph_msg_put(msg);
+                       return -EAGAIN;
+               }
+               con->in_msg = msg;
                if (con->in_msg) {
                        con->in_msg->con = con->ops->get(con);
                        BUG_ON(con->in_msg->con == NULL);