Actions
Bug #64545
opencrimson: OrderedConcurrentPhase::ExitBarrier::exit() does not guarrantee that phase survives
% Done:
0%
Source:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Tags (freeform):
Merge Commit:
Fixed In:
Released In:
Upkeep Timestamp:
Description
void exit() final {
if (barrier) {
assert(phase);
assert(phase->core == seastar::this_shard_id());
std::ignore = std::move(*barrier
).then([phase=this->phase] {
phase->mutex.unlock();
});
barrier = std::nullopt;
phase = nullptr;
} else if (phase) {
assert(phase->core == seastar::this_shard_id());
phase->mutex.unlock();
phase = nullptr;
}
}
phase->mutex.unlock() can occur significantly after exit() finishes. *phase will generally be embedded in a PG or a Connection, so it's often but not always safe.
https://tracker.ceph.com/issues/63647 was a more dangerous variant because *phase was part of the operation itself.
Updated by Samuel Just about 2 years ago
- Related to Bug #64513: crimson: stack-use-after-free in build_incremental_map_msg added
Updated by Samuel Just about 2 years ago
- Related to deleted (Bug #64513: crimson: stack-use-after-free in build_incremental_map_msg)
Updated by Samuel Just about 2 years ago
- Related to Bug #63647: SnapTrimEvent AddressSanitizer: heap-use-after-free added
Updated by Matan Breizman almost 2 years ago
Might be worth to reference https://github.com/ceph/ceph/pull/57978 here for context.
Actions