Bug #40436: multisite: use-after-free of RGWFetchRemoteObjCR::zones_trace - rgw - Ceph

Actions

Copy link

Bug #40436

open

multisite: use-after-free of RGWFetchRemoteObjCR::zones_trace

Added by Casey Bodley almost 5 years ago. Updated almost 5 years ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

% Done:

Source:

Q/A

Tags:

multisite

Backport:

luminous mimic nautilus

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

on shutdown or realm reload, RGWBucketSyncSingleEntryCR can destruct before RGWFetchRemoteObjCR completes. RGWFetchRemoteObjCR should not store a pointer into memory owned by RGWBucketSyncSingleEntryCR

Actions

Copy link

Updated by Casey Bodley almost 5 years ago

Source set to Q/A

Actions

Copy link

Updated by Casey Bodley almost 5 years ago

example backtrace:

 ceph version 12.2.8-128.el7cp (030358773c5213a14c1444a5147258672b2dc15f) luminous (stable)
 1: (()+0x2d2111) [0x562c794e4111]
 2: (()+0xf5d0) [0x7f7c055625d0]
 3: (gsignal()+0x37) [0x7f7bf991a207]
 4: (abort()+0x148) [0x7f7bf991b8f8]
 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7f7bfa2297d5]
 6: (()+0x5e746) [0x7f7bfa227746]
 7: (()+0x5e773) [0x7f7bfa227773]
 8: (__cxa_rethrow()+0x49) [0x7f7bfa2279e9]
 9: (std::_Rb_tree<std::string, std::string, std::_Identity<std::string>, std::less<std::string>, std::allocator<std::string> >::_M_copy(std::_Rb_tree_node<std::string> const*, std::_Rb_tree_node<std::string>*)+
0x14d) [0x562c79456bad]
 10: (std::_Rb_tree<std::string, std::string, std::_Identity<std::string>, std::less<std::string>, std::allocator<std::string> >::operator=(std::_Rb_tree<std::string, std::string, std::_Identity<std::string>, st
d::less<std::string>, std::allocator<std::string> > const&)+0x47) [0x562c7954b477]
 11: (RGWRados::cls_obj_complete_op(RGWRados::BucketShard&, rgw_obj const&, RGWModifyOp, std::string&, long, unsigned long, rgw_bucket_dir_entry&, RGWObjCategory, std::list<cls_rgw_obj_key, std::allocator<cls_rg
w_obj_key> >*, unsigned short, std::set<std::string, std::less<std::string>, std::allocator<std::string> >*)+0x1ab) [0x562c7961979b]
 12: (RGWRados::cls_obj_complete_add(RGWRados::BucketShard&, rgw_obj const&, std::string&, long, unsigned long, rgw_bucket_dir_entry&, RGWObjCategory, std::list<cls_rgw_obj_key, std::allocator<cls_rgw_obj_key> >
*, unsigned short, std::set<std::string, std::less<std::string>, std::allocator<std::string> >*)+0x44) [0x562c79619a64]
 13: (RGWRados::Bucket::UpdateIndex::complete(long, unsigned long, unsigned long, unsigned long, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000
000l> > >&, std::string const&, std::string const&, ceph::buffer::list*, RGWObjCategory, std::list<cls_rgw_obj_key, std::allocator<cls_rgw_obj_key> >*, std::string const*)+0x3ad) [0x562c796414dd]
 14: (RGWRados::Object::Write::_do_write_meta(unsigned long, unsigned long, std::map<std::string, ceph::buffer::list, std::less<std::string>, std::allocator<std::pair<std::string const, ceph::buffer::list> > >&,
 bool, bool, void*)+0x615) [0x562c7965ec95]
 15: (RGWRados::Object::Write::write_meta(unsigned long, unsigned long, std::map<std::string, ceph::buffer::list, std::less<std::string>, std::allocator<std::pair<std::string const, ceph::buffer::list> > >&)+0x2
fa) [0x562c7965f9da]
 16: (RGWPutObjProcessor_Atomic::do_complete(unsigned long, std::string const&, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > >*, std::
chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > >, std::map<std::string, ceph::buffer::list, std::less<std::string>, std::allocator<std::pair<
std::string const, ceph::buffer::list> > >&, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > >, char const*, char const*, std::string con
st*, std::set<std::string, std::less<std::string>, std::allocator<std::string> >*)+0x341) [0x562c7965fdf1]
 17: (RGWPutObjProcessor::complete(unsigned long, std::string const&, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > >*, std::chrono::ti
me_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > >, std::map<std::string, ceph::buffer::list, std::less<std::string>, std::allocator<std::pair<std::strin
g const, ceph::buffer::list> > >&, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > >, char const*, char const*, std::string const*, std::
set<std::string, std::less<std::string>, std::allocator<std::string> >*)+0x42) [0x562c79607282]
 18: (RGWRados::fetch_remote_obj(RGWObjectCtx&, rgw_user const&, std::string const&, std::string const&, bool, req_info*, std::string const&, rgw_obj&, rgw_obj&, RGWBucketInfo&, RGWBucketInfo&, std::chrono::time
_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > >*, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio
<1l, 1000000000l> > >*, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > > const*, std::chrono::time_point<ceph::time_detail::real_clock,
std::chrono::duration<unsigned long, std::ratio<1l, 1000000000l> > > const*, bool, char const*, char const*, RGWRados::AttrsMod, bool, std::map<std::string, ceph::buffer::list, std::less<std::string>, std::alloc
ator<std::pair<std::string const, ceph::buffer::list> > >&, RGWObjCategory, boost::optional<unsigned long>, std::chrono::time_point<ceph::time_detail::real_clock, std::chrono::duration<unsigned long, std::ratio<
1l, 1000000000l> > >, std::string*, std::string*, ceph::buffer::list*, void (*)(long, void*), void*, std::set<std::string, std::less<std::string>, std::allocator<std::string> >*, boost::optional<unsigned long>*)
+0xb58) [0x562c7965a438]
 19: (RGWAsyncFetchRemoteObj::_send_request()+0x391) [0x562c795ade11]
 20: (RGWAsyncRadosProcessor::handle_request(RGWAsyncRadosRequest*)+0x22) [0x562c795aac02]
 21: (RGWAsyncRadosProcessor::RGWWQ::_process(RGWAsyncRadosRequest*, ThreadPool::TPHandle&)+0xd) [0x562c795aaccd]
 22: (ThreadPool::worker(ThreadPool::WorkThread*)+0xa8e) [0x7f7bfcb321de]
 23: (ThreadPool::WorkThread::entry()+0x10) [0x7f7bfcb33100]
 24: (()+0x7dd5) [0x7f7c0555add5]
 25: (clone()+0x6d) [0x7f7bf99e1ead]

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Ceph » rgw

Custom queries

Bug #40436

multisite: use-after-free of RGWFetchRemoteObjCR::zones_trace

Updated by Casey Bodley almost 5 years ago

Updated by Casey Bodley almost 5 years ago