From 394fbfcc40d77ad6c8b3301c5ff2630c052107cd Mon Sep 17 00:00:00 2001 From: Ruifeng Yang Date: Fri, 25 Sep 2015 10:18:11 +0800 Subject: [PATCH] Objecter: maybe access wild pointer(op) in _op_submit_with_budget. look at "after giving up session lock it can be freed at any time by response handler" in _op_submit, so the _op_submit_with_budget::op maybe is wild after call _op_submit. Fixes: #13208 Signed-off-by: Ruifeng Yang (cherry picked from commit 0635b1358354b19ae44105576f730381f3b5b963) --- src/osdc/Objecter.cc | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/src/osdc/Objecter.cc b/src/osdc/Objecter.cc index e8385aacfa631..637024d53b26c 100644 --- a/src/osdc/Objecter.cc +++ b/src/osdc/Objecter.cc @@ -1969,13 +1969,10 @@ class C_CancelOp : public Context ceph_tid_t tid; Objecter *objecter; public: - C_CancelOp(Objecter *objecter) : objecter(objecter) {} + C_CancelOp(ceph_tid_t tid, Objecter *objecter) : tid(tid), objecter(objecter) {} void finish(int r) { objecter->op_cancel(tid, -ETIMEDOUT); } - void set_tid(ceph_tid_t _tid) { - tid = _tid; - } }; ceph_tid_t Objecter::op_submit(Op *op, int *ctx_budget) @@ -2004,21 +2001,15 @@ ceph_tid_t Objecter::_op_submit_with_budget(Op *op, RWLock::Context& lc, int *ct } } - C_CancelOp *cb = NULL; if (osd_timeout > 0) { - cb = new C_CancelOp(this); - op->ontimeout = cb; - } - - ceph_tid_t tid = _op_submit(op, lc); - - if (cb) { - cb->set_tid(tid); + if (op->tid == 0) + op->tid = last_tid.inc(); + op->ontimeout = new C_CancelOp(op->tid, this); Mutex::Locker l(timer_lock); timer.add_event_after(osd_timeout, op->ontimeout); } - return tid; + return _op_submit(op, lc); } void Objecter::_send_op_account(Op *op) -- 2.39.5