From 338e65aa9ec1cd3dcef742cfdf08a9aa10b9cff0 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Fri, 21 May 2021 15:27:31 +0200 Subject: [PATCH] librbd/cache/pwl/ssd: avoid corrupting m_first_free_entry In append_op_log_entries(), new_first_free_entry is read after append_ops() returns. This can result in accessing freed memory because all I/Os may complete and append_ctx callback may run by the time new_first_free_entry is read. Garbage value gets written to m_first_free_entry and depending on the circumstances it may allow AbstractWriteLog code to accept more dirty user data than we have space for. Luckily we usually crash before then. Fixes: https://tracker.ceph.com/issues/50832 Signed-off-by: Ilya Dryomov (cherry picked from commit d83a0f6db8ff26eeb2c817b1bd192fb357f715df) --- src/librbd/cache/pwl/ssd/WriteLog.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/librbd/cache/pwl/ssd/WriteLog.cc b/src/librbd/cache/pwl/ssd/WriteLog.cc index ccdc3f665375..b1b6027fd49a 100644 --- a/src/librbd/cache/pwl/ssd/WriteLog.cc +++ b/src/librbd/cache/pwl/ssd/WriteLog.cc @@ -852,6 +852,12 @@ void WriteLog::append_ops(GenericLogOperations &ops, Context *ctx, m_bytes_allocated -= bytes_to_free; } + { + std::lock_guard locker1(m_lock); + m_first_free_entry = *new_first_free_entry; + m_bytes_allocated -= bytes_to_free; + } + bdev->aio_submit(&aio->ioc); *new_first_free_entry = pool_root.first_free_entry; } -- 2.47.3