From: Ilya Dryomov <idryomov@gmail.com>
Date: Fri, 21 May 2021 13:27:31 +0000 (+0200)
Subject: librbd/cache/pwl/ssd: avoid corrupting m_first_free_entry
X-Git-Tag: v16.2.7~50^2~20
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=338e65aa9ec1cd3dcef742cfdf08a9aa10b9cff0;p=ceph.git

librbd/cache/pwl/ssd: avoid corrupting m_first_free_entry

In append_op_log_entries(), new_first_free_entry is read after
append_ops() returns.  This can result in accessing freed memory
because all I/Os may complete and append_ctx callback may run
by the time new_first_free_entry is read.  Garbage value gets
written to m_first_free_entry and depending on the circumstances
it may allow AbstractWriteLog code to accept more dirty user data
than we have space for.  Luckily we usually crash before then.

Fixes: https://tracker.ceph.com/issues/50832
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit d83a0f6db8ff26eeb2c817b1bd192fb357f715df)
---

diff --git a/src/librbd/cache/pwl/ssd/WriteLog.cc b/src/librbd/cache/pwl/ssd/WriteLog.cc
index ccdc3f665375..b1b6027fd49a 100644
--- a/src/librbd/cache/pwl/ssd/WriteLog.cc
+++ b/src/librbd/cache/pwl/ssd/WriteLog.cc
@@ -852,6 +852,12 @@ void WriteLog<I>::append_ops(GenericLogOperations &ops, Context *ctx,
     m_bytes_allocated -= bytes_to_free;
   }
 
+  {
+    std::lock_guard locker1(m_lock);
+    m_first_free_entry = *new_first_free_entry;
+    m_bytes_allocated -= bytes_to_free;
+  }
+
   bdev->aio_submit(&aio->ioc);
   *new_first_free_entry = pool_root.first_free_entry;
 }