From: Milind Changire <mchangir@redhat.com>
Date: Wed, 19 Mar 2025 05:49:21 +0000 (+0530)
Subject: mds: fix issues with use-after-free in C_Flush_Journal
X-Git-Tag: testing/wip-jcollin-testing-20250822.033055-squid^2~1
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=cdea0ee3d091a6932206be687f362583ec2cd2f2;p=ceph-ci.git

mds: fix issues with use-after-free in C_Flush_Journal

Moved dout() statement out of trim_expired_segments() to avoid
dereferencing 'this' object after object deletion via context completion
handler.

Fixes: https://tracker.ceph.com/issues/69953
Signed-off-by: Milind Changire <mchangir@redhat.com>
(cherry picked from commit d14fb9a44ac481bca9f87900aa6a73ec96a3cdce)

Conflicts:
	src/mds/MDSRank.cc
	- resolved conflicts between main and squid branches
---

diff --git a/src/mds/MDSRank.cc b/src/mds/MDSRank.cc
index 85bc8e260e7..bc87248978f 100644
--- a/src/mds/MDSRank.cc
+++ b/src/mds/MDSRank.cc
@@ -213,10 +213,6 @@ private:
     // Now everyone I'm interested in is expired
     mdlog->trim_expired_segments();
 
-    dout(5) << __func__ << ": trim complete, expire_pos/trim_pos is now "
-            << std::hex << mdlog->get_journaler()->get_expire_pos() << "/"
-            << mdlog->get_journaler()->get_trimmed_pos() << dendl;
-
     write_journal_head();
   }
 
@@ -244,6 +240,10 @@ private:
 
   void finish(int r) override {
     dout(20) << __func__ << ": r=" << r << dendl;
+
+    dout(5) << __func__ << ": trimming is complete; wait for journal head write. Journal expire_pos/trim_pos is now "
+            << std::hex << mdlog->get_journaler()->get_expire_pos() << "/"
+            << mdlog->get_journaler()->get_trimmed_pos() << dendl;
     on_finish->complete(r);
   }