osdc: invalid read of freed memory

The bytes not in cache stat was potentially reading the bh length
from a deleted bufferhead.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
(cherry picked from commit 5ccc4422d6172376bd6f1be8d3a99c0a54eab807)

diff --git a/src/osdc/ObjectCacher.cc b/src/osdc/ObjectCacher.cc
index 75174a68ff290c57fa36e4b587aa7d19787c983b..95f4b8f504b82652db5230dcd5edb911fe275aa4 100644 (file)
--- a/src/osdc/ObjectCacher.cc
+++ b/src/osdc/ObjectCacher.cc
@@ -1144,6 +1144,7 @@ int ObjectCacher::_readx(OSDRead *rd, ObjectSet *oset, Context *onfinish,
            ++bh_it) {
        uint64_t rx_bytes = static_cast<uint64_t>(
          stat_rx + bh_it->second->length());
+        bytes_not_in_cache += bh_it->second->length();
        if (!waitfor_read.empty() || rx_bytes > max_size) {
          // cache is full with concurrent reads -- wait for rx's to complete
          // to constrain memory growth (especially during copy-ups)
@@ -1165,7 +1166,6 @@ int ObjectCacher::_readx(OSDRead *rd, ObjectSet *oset, Context *onfinish,
            bh_it->second->waitfor_read[bh_it->first].push_back( new C_RetryRead(this, rd, oset, onfinish) );
          }
        }
-        bytes_not_in_cache += bh_it->second->length();
        success = false;
       }