Project

General

Profile

Actions
Copy link

Bug #24219

closed

osd: InProgressOp freed by on_change(); in-flight op may use-after-free in op_commit()

Added by Sage Weil almost 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

2018-05-21 20:28:00.466 7f4c4ca28700 10 osd.1 pg_epoch: 22 pg[4.3( v 22'196 (0'0,22'196] local-lis/les=16/17 n=196 ec=16/16 lis/c 16/16 les/c/f 17/17/0 16/16/16) [1,2] r=0 lpr=16 DELETING luod=0'0 crt=22'196 lcod 22'194 mlcod 0'0 active+clean] clear_recovery_state
...
2018-05-21 20:28:00.466 7f4c3e9b8700 10 osd.1 pg_epoch: 22 pg[4.3( v 22'196 (0'0,22'196] local-lis/les=16/17 n=196 ec=16/16 lis/c 16/16 les/c/f 17/17/0 16/16/16) [1,2] r=0 lpr=16 DELETING luod=0'0 crt=22'196 lcod 22'194 mlcod 0'0 active+clean] op_commit: 1133
...
2018-05-21 20:28:00.470 7f4c4e22b700  1 -- 172.21.15.114:6801/14639 <== osd.2 172.21.15.6:6801/14619 1417 ==== osd_repop_reply(client.4324.0:3103 4.3 e22/16) v2 ==== 111+0+0 (3408559827 0 0) 0x556e6584de00 con 0x556e620b6a00
...
2018-05-21 20:28:00.470 7f4c3e9b8700 -1 *** Caught signal (Segmentation fault) **
 in thread 7f4c3e9b8700 thread_name:finisher

 ceph version 13.1.0-188-g063fb45 (063fb4524a2277e768fb13c8c0c704f4d34459c7) mimic (rc)
 1: (()+0x9131f0) [0x556e5da7a1f0]
 2: (()+0x11390) [0x7f4c52ddb390]
 3: (std::_Rb_tree<pg_shard_t, pg_shard_t, std::_Identity<pg_shard_t>, std::less<pg_shard_t>, std::allocator<pg_shard_t> >::equal_range(pg_shard_t const&)+0x28) [0x556e5d6089c8]
 4: (std::_Rb_tree<pg_shard_t, pg_shard_t, std::_Identity<pg_shard_t>, std::less<pg_shard_t>, std::allocator<pg_shard_t> >::erase(pg_shard_t const&)+0x10) [0x556e5d60bfe0]
 5: (ReplicatedBackend::op_commit(ReplicatedBackend::InProgressOp*)+0x95) [0x556e5d7f53e5]
 6: (Context::complete(int)+0x9) [0x556e5d558009]
 7: (PrimaryLogPG::BlessedContext::finish(int)+0xa0) [0x556e5d6d8550]
 8: (Context::complete(int)+0x9) [0x556e5d558009]
 9: (Finisher::finisher_thread_entry()+0x12e) [0x7f4c5432406e]
 10: (()+0x76ba) [0x7f4c52dd16ba]
 11: (clone()+0x6d) [0x7f4c525fa41d]
 NOTE: a copy of the executable, or `objdump -rdS <executable>` is needed to interpret this.

/a/teuthology-2018-05-21_20:00:50-powercycle-mimic-distro-basic-smithi/2563168
Actions
Copy link
 #1

Updated by Sage Weil almost 6 years ago

  • Status changed from 12 to Fix Under Review
Actions
Copy link
 #2

Updated by Sage Weil almost 6 years ago

/a/teuthology-2018-05-21_20:00:50-powercycle-mimic-distro-basic-smithi/2563192

powercycle/osd/{clusters/3osd-1per-target.yaml objectstore/bluestore-bitmap.yaml powercycle/default.yaml tasks/radosbench.yaml thrashosds-health.yaml whitelist_health.yaml}

/a/teuthology-2018-05-21_20:00:50-powercycle-mimic-distro-basic-smithi/2563206

powercycle/osd/{clusters/3osd-1per-target.yaml objectstore/bluestore-comp.yaml powercycle/default.yaml tasks/radosbench.yaml thrashosds-health.yaml whitelist_health.yaml}

Actions
Copy link
 #3

Updated by Sage Weil almost 6 years ago

  • Status changed from Fix Under Review to Pending Backport
  • Backport set to mimic
Actions
Copy link
 #4

Updated by Sage Weil almost 6 years ago

  • Status changed from Pending Backport to Resolved
Actions
Copy link

Also available in: Atom PDF