Actions
Bug #24219
closedosd: InProgressOp freed by on_change(); in-flight op may use-after-free in op_commit()
Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
2018-05-21 20:28:00.466 7f4c4ca28700 10 osd.1 pg_epoch: 22 pg[4.3( v 22'196 (0'0,22'196] local-lis/les=16/17 n=196 ec=16/16 lis/c 16/16 les/c/f 17/17/0 16/16/16) [1,2] r=0 lpr=16 DELETING luod=0'0 crt=22'196 lcod 22'194 mlcod 0'0 active+clean] clear_recovery_state ... 2018-05-21 20:28:00.466 7f4c3e9b8700 10 osd.1 pg_epoch: 22 pg[4.3( v 22'196 (0'0,22'196] local-lis/les=16/17 n=196 ec=16/16 lis/c 16/16 les/c/f 17/17/0 16/16/16) [1,2] r=0 lpr=16 DELETING luod=0'0 crt=22'196 lcod 22'194 mlcod 0'0 active+clean] op_commit: 1133 ... 2018-05-21 20:28:00.470 7f4c4e22b700 1 -- 172.21.15.114:6801/14639 <== osd.2 172.21.15.6:6801/14619 1417 ==== osd_repop_reply(client.4324.0:3103 4.3 e22/16) v2 ==== 111+0+0 (3408559827 0 0) 0x556e6584de00 con 0x556e620b6a00 ... 2018-05-21 20:28:00.470 7f4c3e9b8700 -1 *** Caught signal (Segmentation fault) ** in thread 7f4c3e9b8700 thread_name:finisher ceph version 13.1.0-188-g063fb45 (063fb4524a2277e768fb13c8c0c704f4d34459c7) mimic (rc) 1: (()+0x9131f0) [0x556e5da7a1f0] 2: (()+0x11390) [0x7f4c52ddb390] 3: (std::_Rb_tree<pg_shard_t, pg_shard_t, std::_Identity<pg_shard_t>, std::less<pg_shard_t>, std::allocator<pg_shard_t> >::equal_range(pg_shard_t const&)+0x28) [0x556e5d6089c8] 4: (std::_Rb_tree<pg_shard_t, pg_shard_t, std::_Identity<pg_shard_t>, std::less<pg_shard_t>, std::allocator<pg_shard_t> >::erase(pg_shard_t const&)+0x10) [0x556e5d60bfe0] 5: (ReplicatedBackend::op_commit(ReplicatedBackend::InProgressOp*)+0x95) [0x556e5d7f53e5] 6: (Context::complete(int)+0x9) [0x556e5d558009] 7: (PrimaryLogPG::BlessedContext::finish(int)+0xa0) [0x556e5d6d8550] 8: (Context::complete(int)+0x9) [0x556e5d558009] 9: (Finisher::finisher_thread_entry()+0x12e) [0x7f4c5432406e] 10: (()+0x76ba) [0x7f4c52dd16ba] 11: (clone()+0x6d) [0x7f4c525fa41d] NOTE: a copy of the executable, or `objdump -rdS <executable>` is needed to interpret this.
/a/teuthology-2018-05-21_20:00:50-powercycle-mimic-distro-basic-smithi/2563168
Actions