From f3609205e71de0b6e00fd4f5a9fffe7476d5fd73 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Fri, 25 Jul 2014 13:17:32 -0700 Subject: [PATCH] common/RefCountedObject: fix use-after-free in debug print We could race with another thread that deletes this right after we call dec(). Our access of cct would then become a use-after-free. Valgrind managed to turn this up. Copy it into a local variable before the dec() to be safe, and move the dout line below to make this possibility explicit and obvious in the code. Signed-off-by: Sage Weil --- src/common/RefCountedObj.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/common/RefCountedObj.h b/src/common/RefCountedObj.h index f9644a791ce..b16e071238a 100644 --- a/src/common/RefCountedObj.h +++ b/src/common/RefCountedObj.h @@ -39,13 +39,14 @@ public: return this; } void put() { + CephContext *local_cct = cct; int v = nref.dec(); - if (cct) - lsubdout(cct, refs, 1) << "RefCountedObject::put " << this << " " - << (v + 1) << " -> " << v - << dendl; if (v == 0) delete this; + if (local_cct) + lsubdout(local_cct, refs, 1) << "RefCountedObject::put " << this << " " + << (v + 1) << " -> " << v + << dendl; } void set_cct(CephContext *c) { cct = c; -- 2.47.3