A B
SharedBlobSet::lookup()
takes lock
nref is not 0
SharedBlob::put()
--nref
returns SharedBlobRef,
++nref
takes cache lock
SharedBlobSet::remove
takes lock
removes
deletes SharedBlob
-> A ends up with a ref to deleted SharedBlob
Fix by verifying that nref is still zero in SharedBlobSet::remove(),
while we are holding the SharedBlobSet::lock. The lock ensures that we
have increased the ref for the lookup before entering remove, so we can
verify that nref is still zero before removing it. If not, we have
raced, and put() bails out and does nothing.
Fixes: http://tracker.ceph.com/issues/36526
Signed-off-by: Sage Weil <sage@redhat.com>
if (coll_snap != coll) {
goto again;
}
- coll_snap->shared_blob_set.remove(this);
-
+ if (!coll_snap->shared_blob_set.remove(this, true)) {
+ // race with lookup
+ return;
+ }
bc._clear(coll_snap->cache);
coll_snap->cache->rm_blob();
}
sb->coll = coll;
}
- void remove(SharedBlob *sb) {
+ bool remove(SharedBlob *sb, bool verify_nref_is_zero=false) {
std::lock_guard l(lock);
ceph_assert(sb->get_parent() == this);
+ if (verify_nref_is_zero && sb->nref != 0) {
+ return false;
+ }
// only remove if it still points to us
auto p = sb_map.find(sb->get_sbid());
if (p != sb_map.end() &&
p->second == sb) {
sb_map.erase(p);
}
+ return true;
}
bool empty() {
projects / ceph.git / commitdiff