client: crash caused by invalid iterator in _readdir_cache_cb

[zhsgao]

Capacity of readdir_cache may change after client_lock is unlocked in iterations of readdir_cache, and it can cause the iterator to be invalid, then using the invalid iterator in the next iteration will cause crash.
Crash may happen at Dentry *dn = *pd (pd points to invalid memory), or at if (pd >= dir->readdir_cache.end() || *pd != dn) (pd is smaller than begin() if idx is negative).
Use index instead of iterator to solve this problem.

Fixes: https://tracker.ceph.com/issues/72247
Signed-off-by: Zhansong Gao zhsgao@hotmail.com

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

• When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins test classic perf Jenkins Job | Jenkins Job Definition
• jenkins test crimson perf Jenkins Job | Jenkins Job Definition
• jenkins test signed Jenkins Job | Jenkins Job Definition
• jenkins test make check Jenkins Job | Jenkins Job Definition
• jenkins test make check arm64 Jenkins Job | Jenkins Job Definition
• jenkins test submodules Jenkins Job | Jenkins Job Definition
• jenkins test dashboard Jenkins Job | Jenkins Job Definition
• jenkins test dashboard cephadm Jenkins Job | Jenkins Job Definition
• jenkins test api Jenkins Job | Jenkins Job Definition
• jenkins test docs ReadTheDocs | Github Workflow Definition
• jenkins test ceph-volume all Jenkins Jobs | Jenkins Jobs Definition
• jenkins test windows Jenkins Job | Jenkins Job Definition
• jenkins test rook e2e Jenkins Job | Jenkins Job Definition

[vshankar]

@dparmar18 PTAL

[vshankar]

jenkins retest this please

[vshankar]

@dparmar18 ptal to review the fix.

[vshankar]

jenkins test windows

[dparmar18]

@dparmar18 ptal to review the fix.

on it now

[vshankar]

@dparmar18 gentle nudge on this.

[dparmar18]

@zhsgao the code looks good, can this be reproduced locally/easily? Do you have/know any instances where it crashed?

[zhsgao]

@zhsgao the code looks good, can this be reproduced locally/easily? Do you have/know any instances where it crashed?

I have a few crashes and I find out through the coredump that they happen at *pd != dn of if (pd >= dir->readdir_cache.end() || *pd != dn), so I think it is caused by invalid iterator pd.
I haven't tried to reproduce it yet, maybe it's not easy to reproduce.

[dparmar18]

@zhsgao the code looks good, can this be reproduced locally/easily? Do you have/know any instances where it crashed?

I have a few crashes and I find out through the coredump that they happen at *pd != dn of if (pd >= dir->readdir_cache.end() || *pd != dn), so I think it is caused by invalid iterator pd. I haven't tried to reproduce it yet, maybe it's not easy to reproduce.

yeah if the invalid *pd is dereferenced then it should codedump but i'm keen to know cases where it happens, is there any pattern you've noticed with your workload that might've triggered it?

[vshankar]

LGTM

[vshankar]

This PR is under test in https://tracker.ceph.com/issues/72565.

[dparmar18]

code looks good

[zhsgao]

@zhsgao the code looks good, can this be reproduced locally/easily? Do you have/know any instances where it crashed?

I have a few crashes and I find out through the coredump that they happen at *pd != dn of if (pd >= dir->readdir_cache.end() || *pd != dn), so I think it is caused by invalid iterator pd. I haven't tried to reproduce it yet, maybe it's not easy to reproduce.

yeah if the invalid *pd is dereferenced then it should codedump but i'm keen to know cases where it happens, is there any pattern you've noticed with your workload that might've triggered it?

I have tried to reproduce the crash but have not been successful, so there is no case for it yet.

[vshankar]

This PR is under test in https://tracker.ceph.com/issues/72565.

Have to rerun tests due to unrelated infra failures.

[vshankar]

https://tracker.ceph.com/projects/cephfs/wiki/QA_main_2025#wip-vshankar-testing-20250829190601-debug

[vshankar]

Nice work @zhsgao