Project

General

Profile

Actions
Copy link

Bug #21274

closed

Client: if request gets aborted, its reference leaks

Added by Zheng Yan over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

/a/pdonnell-2017-09-06_15:30:20-fs-wip-pdonnell-testing-20170906-distro-basic-smithi/1601384/teuthology.log

log of crashed client
/a/pdonnell-2017-09-06_15:30:20-fs-wip-pdonnell-testing-20170906-distro-basic-smithi/1601384/remote/smithi100/log/ceph-client.guest.68356.log.gz

The reason is that client got backlisted while there is a pending request. No one cleaned up the request and the request held a reference to dentry. So client crashed on shutdown

/build/ceph-13.0.0-437-g3490d03/src/client/Client.cc: 337: FAILED assert(lru.lru_get_size() == 0)

 ceph version 13.0.0-437-g3490d03 (3490d03974d47fae7bd3846d2443cb7c5d7360cb) mimic (dev)
 1: (ceph::__ceph_assert_fail(char const*, char const*, int, char const*)+0x102) [0xc165fc1812]
 2: (Client::tear_down_cache()+0x75a) [0xc165f1e40a]
 3: (Client::~Client()+0x53) [0xc165f56113]
 4: (StandaloneClient::~StandaloneClient()+0x9) [0xc165f566e9]
 5: (main()+0x8e1) [0xc165ecab81]
 6: (__libc_start_main()+0xf0) [0x7f3daaf46830]
 7: (_start()+0x29) [0xc165ed3739]
 NOTE: a copy of the executable, or `objdump -rdS <executable>` is needed to interpret this.
Actions
Copy link
 #1

Updated by Zheng Yan over 6 years ago

  • Subject changed from crash when shutting down blacklisted client to Client: if request gets aborted, its reference leaks
  • Status changed from New to Fix Under Review
  • Backport set to jewel, luminous
Actions
Copy link
 #2

Updated by Patrick Donnelly over 6 years ago

  • Status changed from Fix Under Review to Pending Backport
Actions
Copy link
 #3

Updated by Zheng Yan over 6 years ago

  • Status changed from Pending Backport to Resolved

the bug was introduced by

From 9cb79067dc009b488c9dc2d0c4641da88153bfca Mon Sep 17 00:00:00 2001
From: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
Date: Wed, 10 May 2017 20:42:36 +0200
Subject: [PATCH 11/14] client/Client.cc: fix USE_AFTER_FREE

Don't call put_request() twice, it's already called by
unregister_request()

Fix for:

CID 1405360 (#1 of 1): Use after free (USE_AFTER_FREE)
 deref_arg: Calling put_request dereferences freed pointer request

Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>

does not exist in luminous branch.

Actions
Copy link
 #4

Updated by Zheng Yan over 6 years ago

  • Backport deleted (jewel, luminous)
Actions
Copy link

Also available in: Atom PDF