From: Milind Changire <mchangir@redhat.com>
Date: Thu, 20 Mar 2025 17:01:32 +0000 (+0530)
Subject: mds: fix issues with use-after-free in C_Flush_Journal
X-Git-Tag: testing/wip-jcollin-testing-20250822.033055-squid^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=4dda1f1a759663b2cd7e26eebdd7d4dcd5b278c1;p=ceph-ci.git

mds: fix issues with use-after-free in C_Flush_Journal

Resolved use-after-free issue of ESubtreeMap. The subtreemap event gets
destroyed after it is submitted to the log.

MDLog::submit_event() now returns a sequence number of the submitted event.

Fixes: https://tracker.ceph.com/issues/69953
Signed-off-by: Milind Changire <mchangir@redhat.com>
(cherry picked from commit e1ab8eb78b17b2c0ca606e173f3015c909092700)

Conflicts:
	src/mds/MDLog.h
	src/mds/MDSRank.cc
	- resolved conflicts due to main and squid branch divergence
---

diff --git a/src/mds/MDLog.cc b/src/mds/MDLog.cc
index 75515cdf1e1..7672f24f11f 100644
--- a/src/mds/MDLog.cc
+++ b/src/mds/MDLog.cc
@@ -295,7 +295,7 @@ LogSegment* MDLog::_start_new_segment(SegmentBoundary* sb)
   return ls;
 }
 
-void MDLog::_submit_entry(LogEvent *le, MDSLogContextBase* c)
+LogSegment::seq_t MDLog::_submit_entry(LogEvent *le, MDSLogContextBase* c)
 {
   dout(20) << __func__ << " " << *le << dendl;
   ceph_assert(ceph_mutex_is_locked_by_me(mds->mds_lock));
@@ -342,6 +342,7 @@ void MDLog::_submit_entry(LogEvent *le, MDSLogContextBase* c)
   }
 
   unflushed++;
+  return event_seq;
 }
 
 void MDLog::_segment_upkeep()
diff --git a/src/mds/MDLog.h b/src/mds/MDLog.h
index 3e4e453698e..dd47628a831 100644
--- a/src/mds/MDLog.h
+++ b/src/mds/MDLog.h
@@ -133,11 +133,12 @@ public:
   void kick_submitter();
   void shutdown();
 
-  void submit_entry(LogEvent *e, MDSLogContextBase* c = 0) {
+  LogSegment::seq_t submit_entry(LogEvent *e, MDSLogContextBase* c = 0) {
     std::lock_guard l(submit_mutex);
-    _submit_entry(e, c);
+    auto seq = _submit_entry(e, c);
     _segment_upkeep();
     submit_cond.notify_all();
+    return seq;
   }
 
   void wait_for_safe(Context* c);
@@ -283,7 +284,7 @@ private:
   void try_to_commit_open_file_table(uint64_t last_seq);
   LogSegment* _start_new_segment(SegmentBoundary* sb);
   void _segment_upkeep();
-  void _submit_entry(LogEvent* e, MDSLogContextBase* c);
+  LogSegment::seq_t _submit_entry(LogEvent* e, MDSLogContextBase* c);
 
   void try_expire(LogSegment *ls, int op_prio);
   void _maybe_expired(LogSegment *ls, int op_prio);
diff --git a/src/mds/MDSRank.cc b/src/mds/MDSRank.cc
index bc87248978f..dd6129ea1c6 100644
--- a/src/mds/MDSRank.cc
+++ b/src/mds/MDSRank.cc
@@ -96,8 +96,8 @@ private:
 
     // I need to seal off the current segment, and then mark all
     // previous segments for expiry
-    auto sle = mdcache->create_subtree_map();
-    mdlog->submit_entry(sle);
+    auto* sle = mdcache->create_subtree_map();
+    [[maybe_unused]] LogSegment::seq_t seq = mdlog->submit_entry(sle);
 
     Context *ctx = new LambdaContext([this](int r) {
         handle_flush_mdlog(r);