From 5e885cca2214d0b82d630222af82ceff303c8f60 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Mon, 13 Feb 2017 15:26:24 -0500
Subject: [PATCH] osd/Session: fix race between have_backoff() and
 clear_backoffs()

We may return a raw pointer that is about to get deallocated by
clear_backoffs().  Fix by returning a reference, preventing the free.

Signed-off-by: Sage Weil <sage@redhat.com>
---
 src/osd/PG.cc           | 2 +-
 src/osd/PrimaryLogPG.cc | 6 +++---
 src/osd/Session.h       | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/osd/PG.cc b/src/osd/PG.cc
index c6fadd997c98f..fb531e0a44236 100644
--- a/src/osd/PG.cc
+++ b/src/osd/PG.cc
@@ -2301,7 +2301,7 @@ void PG::add_backoff(SessionRef s, const hobject_t& begin, const hobject_t& end)
   ConnectionRef con = s->con;
   if (!con)   // OSD::ms_handle_reset clears s->con without a lock
     return;
-  Backoff *b = s->have_backoff(info.pgid, begin);
+  BackoffRef b(s->have_backoff(info.pgid, begin));
   if (b) {
     derr << __func__ << " already have backoff for " << s << " begin " << begin
 	 << " " << *b << dendl;
diff --git a/src/osd/PrimaryLogPG.cc b/src/osd/PrimaryLogPG.cc
index f27cff38e9861..5ca2a8eced24f 100644
--- a/src/osd/PrimaryLogPG.cc
+++ b/src/osd/PrimaryLogPG.cc
@@ -1621,8 +1621,8 @@ void PrimaryLogPG::do_request(
     session->put();  // get_priv takes a ref, and so does the SessionRef
 
     if (op->get_req()->get_type() == CEPH_MSG_OSD_OP) {
-      Backoff *b = session->have_backoff(info.pgid,
-					 info.pgid.pgid.get_hobj_start());
+      BackoffRef b(session->have_backoff(info.pgid,
+					 info.pgid.pgid.get_hobj_start()));
       if (b) {
 	dout(10) << " have backoff " << *b << " " << *m << dendl;
 	assert(!b->is_acked() || !g_conf->osd_debug_crash_on_ignored_backoff);
@@ -1784,7 +1784,7 @@ void PrimaryLogPG::do_op(OpRequestRef& op)
     }
     session->put();  // get_priv() takes a ref, and so does the intrusive_ptr
 
-    Backoff *b = session->have_backoff(info.pgid, head);
+    BackoffRef b(session->have_backoff(info.pgid, head));
     if (b) {
       dout(10) << __func__ << " have backoff " << *b << " " << *m << dendl;
       assert(!b->is_acked() || !g_conf->osd_debug_crash_on_ignored_backoff);
diff --git a/src/osd/Session.h b/src/osd/Session.h
index d29448550b2ec..91648e60b73c1 100644
--- a/src/osd/Session.h
+++ b/src/osd/Session.h
@@ -166,7 +166,7 @@ struct Session : public RefCountedObject {
     const hobject_t& start,
     const hobject_t& end);
 
-  Backoff *have_backoff(spg_t pgid, const hobject_t& oid) {
+  BackoffRef have_backoff(spg_t pgid, const hobject_t& oid) {
     if (!backoff_count.load()) {
       return nullptr;
     }
@@ -194,7 +194,7 @@ struct Session : public RefCountedObject {
     return nullptr;
   }
 
-  void add_backoff(Backoff *b) {
+  void add_backoff(BackoffRef b) {
     Mutex::Locker l(backoff_lock);
     assert(!backoff_count == backoffs.empty());
     backoffs[b->pgid][b->begin].insert(b);
-- 
2.39.5