os/bluestore/BlockDevice: fix waiter wakeup use-after-free race

author Sage Weil <sage@redhat.com>

Fri, 18 Dec 2015 22:33:41 +0000 (17:33 -0500)

committer Sage Weil <sage@redhat.com>

Fri, 1 Jan 2016 18:07:24 +0000 (13:07 -0500)
author Sage Weil <sage@redhat.com>
Fri, 18 Dec 2015 22:33:41 +0000 (17:33 -0500)
committer Sage Weil <sage@redhat.com>
Fri, 1 Jan 2016 18:07:24 +0000 (13:07 -0500)
diff --git a/src/os/bluestore/BlockDevice.cc b/src/os/bluestore/BlockDevice.cc

index 95797c2bf563b7d9efc0aa3bc53684b32d56b5bf..2a74463c4fa18727d5f69c7774825d30c1ee06ab 100644 (file)
--- a/src/os/bluestore/BlockDevice.cc
+++ b/src/os/bluestore/BlockDevice.cc
@@ -224,12 +224,15 @@ void BlockDevice::_aio_thread()
                  << " ioc " << ioc
                  << " with " << left << " aios left" << dendl;
         assert(r >= 0);
+       // sample waiter count before doing callback (which may
+       // destroy this ioc).
+       int waiting = ioc->num_waiting.read();
         if (left == 0) {
           if (ioc->priv) {
             aio_callback(aio_callback_priv, ioc->priv);
           }
         }
-       if (ioc->num_waiting.read()) {
+       if (waiting) {
           dout(20) << __func__ << " waking waiter" << dendl;
           Mutex::Locker l(ioc->lock);
           ioc->cond.Signal();
author	Sage Weil <sage@redhat.com>
	Fri, 18 Dec 2015 22:33:41 +0000 (17:33 -0500)
committer	Sage Weil <sage@redhat.com>
	Fri, 1 Jan 2016 18:07:24 +0000 (13:07 -0500)