From: Jason Dillaman Date: Tue, 28 Apr 2015 15:12:00 +0000 (-0400) Subject: osdc: invalid read of freed memory X-Git-Tag: v0.94.3~28^2~2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=aa3eb28f6be62991bc790de5c19cb7b6e30fa189;p=ceph.git osdc: invalid read of freed memory The bytes not in cache stat was potentially reading the bh length from a deleted bufferhead. Signed-off-by: Jason Dillaman (cherry picked from commit 5ccc4422d6172376bd6f1be8d3a99c0a54eab807) --- diff --git a/src/osdc/ObjectCacher.cc b/src/osdc/ObjectCacher.cc index 75174a68ff290..95f4b8f504b82 100644 --- a/src/osdc/ObjectCacher.cc +++ b/src/osdc/ObjectCacher.cc @@ -1144,6 +1144,7 @@ int ObjectCacher::_readx(OSDRead *rd, ObjectSet *oset, Context *onfinish, ++bh_it) { uint64_t rx_bytes = static_cast( stat_rx + bh_it->second->length()); + bytes_not_in_cache += bh_it->second->length(); if (!waitfor_read.empty() || rx_bytes > max_size) { // cache is full with concurrent reads -- wait for rx's to complete // to constrain memory growth (especially during copy-ups) @@ -1165,7 +1166,6 @@ int ObjectCacher::_readx(OSDRead *rd, ObjectSet *oset, Context *onfinish, bh_it->second->waitfor_read[bh_it->first].push_back( new C_RetryRead(this, rd, oset, onfinish) ); } } - bytes_not_in_cache += bh_it->second->length(); success = false; }