From 08d96fba1e3401fcb4de48b1a69a3bfec10aad21 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Mon, 4 Mar 2019 09:13:06 -0600 Subject: [PATCH] osd/PG: do not touch this->cct after PG is destroyed - thread A drops last second-to-last ref - thread B drops last ref - thread B deletes pg - thread A does lgeneric_subdout(cct, refs, 1) << "PG::put " << this << " " .. touching this->cct, a use-after-free that valgrind notices with InvalidRead Invalid read of size 8 0x74ED34 /usr/bin/ceph-osd PG::put(char const*) /usr/src/debug/ceph-14.1.0-283-g569f086/src/osd PG.cc 179 0x7C1E76 /usr/bin/ceph-osd ContainerContext<boost::intrusive_ptr<PG> >::~ContainerContext() /usr/src/debug/ceph-14.1.0-283-g569f086/src/osd PG.h 566 0xC95675 /usr/bin/ceph-osd Finisher::finisher_thread_entry() /usr/src/debug/ceph-14.1.0-283-g569f086/src/common Finisher.cc 67 0xD656E24 /usr/lib64/libpthread-2.17.so start_thread 0xE5B4BAC /usr/lib64/libc-2.17.so clone Address 0x470b29e8 is 152 bytes inside a block of size 11,632 free'd ... Fixes: http://tracker.ceph.com/issues/38484 Signed-off-by: Sage Weil --- src/osd/PG.cc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/osd/PG.cc b/src/osd/PG.cc index 3e779341f82..db6b22d90b7 100644 --- a/src/osd/PG.cc +++ b/src/osd/PG.cc @@ -175,10 +175,12 @@ void PG::put(const char* tag) } } #endif + auto local_cct = cct; int after = --ref; - lgeneric_subdout(cct, refs, 5) << "PG::put " << this << " " - << "tag " << (tag ? tag : "(none") << " " - << (after + 1) << " -> " << after << dendl; + lgeneric_subdout(local_cct, refs, 5) << "PG::put " << this << " " + << "tag " << (tag ? tag : "(none") << " " + << (after + 1) << " -> " << after + << dendl; if (after == 0) delete this; } -- 2.39.5