From: Jason Dillaman <dillaman@redhat.com>
Date: Tue, 28 Apr 2015 15:12:00 +0000 (-0400)
Subject: osdc: invalid read of freed memory
X-Git-Tag: v9.0.1~47^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5ccc4422d6172376bd6f1be8d3a99c0a54eab807;p=ceph.git

osdc: invalid read of freed memory

The bytes not in cache stat was potentially reading the bh length
from a deleted bufferhead.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---

diff --git a/src/osdc/ObjectCacher.cc b/src/osdc/ObjectCacher.cc
index 7158350bf4bf..5465706370fc 100644
--- a/src/osdc/ObjectCacher.cc
+++ b/src/osdc/ObjectCacher.cc
@@ -1157,6 +1157,7 @@ int ObjectCacher::_readx(OSDRead *rd, ObjectSet *oset, Context *onfinish,
            ++bh_it) {
 	uint64_t rx_bytes = static_cast<uint64_t>(
 	  stat_rx + bh_it->second->length());
+        bytes_not_in_cache += bh_it->second->length();
 	if (!waitfor_read.empty() || rx_bytes > max_size) {
 	  // cache is full with concurrent reads -- wait for rx's to complete
 	  // to constrain memory growth (especially during copy-ups)
@@ -1175,7 +1176,6 @@ int ObjectCacher::_readx(OSDRead *rd, ObjectSet *oset, Context *onfinish,
 	  if ((success && onfinish) || last != missing.end())
 	    last = bh_it;
 	}
-        bytes_not_in_cache += bh_it->second->length();
 	success = false;
       }