From 185779356bfcf3f91f9c9027931971bf36c44d6d Mon Sep 17 00:00:00 2001 From: Brad Hubbard Date: Fri, 27 Nov 2020 10:55:54 +1000 Subject: [PATCH] mon: paxos: Delete logger in destructor reset() can race with shutdown() leading to a use-after-free on the 'logger' object. Fixes: https://tracker.ceph.com/issues/48386 Signed-off-by: Brad Hubbard (cherry picked from commit cc295d1c87552eb76b9188d88d7e6ab2f3108149) Conflicts: src/mon/Paxos.h - stable branch has slightly different Paxos and get_name function declarations --- src/mon/Paxos.cc | 1 - src/mon/Paxos.h | 6 +++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/mon/Paxos.cc b/src/mon/Paxos.cc index a6bf59b853fc5..180c80fb83d77 100644 --- a/src/mon/Paxos.cc +++ b/src/mon/Paxos.cc @@ -1336,7 +1336,6 @@ void Paxos::shutdown() finish_contexts(g_ceph_context, committing_finishers, -ECANCELED); if (logger) g_ceph_context->get_perfcounters_collection()->remove(logger); - delete logger; } void Paxos::leader_init() diff --git a/src/mon/Paxos.h b/src/mon/Paxos.h index 4aed2fae77f05..4154ace07cbe7 100644 --- a/src/mon/Paxos.h +++ b/src/mon/Paxos.h @@ -1045,7 +1045,7 @@ public: * @param name A name for the paxos service. It serves as the naming space * of the underlying persistent storage for this service. */ - Paxos(Monitor *m, const string &name) + Paxos(Monitor *m, const string &name) : mon(m), logger(NULL), paxos_name(name), @@ -1065,6 +1065,10 @@ public: clock_drift_warned(0), trimming(false) { } + ~Paxos() { + delete logger; + } + const string get_name() const { return paxos_name; } -- 2.39.5