From: Sage Weil <sage@redhat.com>
Date: Fri, 18 Dec 2015 22:33:41 +0000 (-0500)
Subject: os/bluestore/BlockDevice: fix waiter wakeup use-after-free race
X-Git-Tag: v10.0.3~154^2~77
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d927919a4bee4b3cb5fe3b8fda04c079fa10e3fd;p=ceph.git

os/bluestore/BlockDevice: fix waiter wakeup use-after-free race

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/os/bluestore/BlockDevice.cc b/src/os/bluestore/BlockDevice.cc
index 95797c2bf563..2a74463c4fa1 100644
--- a/src/os/bluestore/BlockDevice.cc
+++ b/src/os/bluestore/BlockDevice.cc
@@ -224,12 +224,15 @@ void BlockDevice::_aio_thread()
 		 << " ioc " << ioc
 		 << " with " << left << " aios left" << dendl;
 	assert(r >= 0);
+	// sample waiter count before doing callback (which may
+	// destroy this ioc).
+	int waiting = ioc->num_waiting.read();
 	if (left == 0) {
 	  if (ioc->priv) {
 	    aio_callback(aio_callback_priv, ioc->priv);
 	  }
 	}
-	if (ioc->num_waiting.read()) {
+	if (waiting) {
 	  dout(20) << __func__ << " waking waiter" << dendl;
 	  Mutex::Locker l(ioc->lock);
 	  ioc->cond.Signal();