From 07f36b562e6cc91af38b3d1c57ec1a7e6f0713be Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Mon, 8 Sep 2014 13:44:57 -0700
Subject: [PATCH] osdc/Objecter: revoke rx_buffer on op_cancel

If we cancel a read, revoke the rx buffers to avoid a use-after-free and/or
other undefined badness by using user buffers that may no longer be
present.

Fixes: #9362
Backport: firefly, dumpling
Reported-by: Matthias Kiefer <matthias.kiefer@1und1.de>
Signed-off-by: Sage Weil <sage@redhat.com>
---
 src/osdc/Objecter.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/osdc/Objecter.cc b/src/osdc/Objecter.cc
index e77ea89fca873..407c38e543f9d 100644
--- a/src/osdc/Objecter.cc
+++ b/src/osdc/Objecter.cc
@@ -1856,6 +1856,12 @@ int Objecter::op_cancel(OSDSession *s, ceph_tid_t tid, int r)
     return -ENOENT;
   }
 
+  if (s->con) {
+    ldout(cct, 20) << " revoking rx buffer for " << tid
+		   << " on " << s->con << dendl;
+    s->con->revoke_rx_buffer(tid);
+  }
+
   ldout(cct, 10) << __func__ << " tid " << tid << dendl;
   Op *op = p->second;
   if (op->onack) {