Project

General

Profile

Bug #1986

objecter: segfault during osd op reply demux

Added by Josh Durgin almost 12 years ago. Updated almost 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Sage Weil
Category:
-
Target version:
v0.42
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

This happened on master + an rbd fix when running 'rbd snap purge blah', when the blah image had > 200 snapshots. Core and binary are in vit:~joshd/bug_1986.

(gdb) bt
#0  0x00007f720a0dde2b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:41
#1  0x0000000000458dc8 in reraise_fatal (signum=20606) at global/signal_handler.cc:59
#2  0x00000000004592f1 in handle_fatal_signal (signum=<value optimized out>) at global/signal_handler.cc:109
#3  <signal handler called>
#4  Objecter::handle_osd_op_reply (this=0x126aa80, m=<value optimized out>) at osdc/Objecter.cc:1182
#5  0x00007f720a373f9c in librados::RadosClient::_dispatch (this=0x1268b90, m=0x127d230) at librados.cc:1069
#6  0x00007f720a374023 in librados::RadosClient::ms_dispatch (this=0x1268b90, m=0x127d230) at librados.cc:1039
#7  0x00000000004b6b73 in Messenger::ms_deliver_dispatch (this=0x1269c00) at msg/Messenger.h:102
#8  SimpleMessenger::dispatch_entry (this=0x1269c00) at msg/SimpleMessenger.cc:364
#9  0x000000000048f0ac in SimpleMessenger::DispatchThread::entry() ()
#10 0x00007f720a0d58ba in start_thread (arg=<value optimized out>) at pthread_create.c:300
#11 0x00007f72089c302d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#12 0x0000000000000000 in ?? ()
(gdb) frame 4
#4  Objecter::handle_osd_op_reply (this=0x126aa80, m=<value optimized out>) at osdc/Objecter.cc:1182
1182        if (*p)

Associated revisions

Revision 0cc26a94 (diff)
Added by Sage Weil almost 12 years ago

objecter: fix bounds checking on op reply demuxing

We can't assume that the size of out_ops (from the reply) matches the
op->out_* vectors from our request state. In particular, the out_ops might
be shorter than what we sent the OSD if the OSD was sloppy. Check them.

We can assume that op->ops and op->out_* all match; assert as much in
op_submit().

Fixes: #1986
Signed-off-by: Sage Weil <>
Reviewed-by: Greg Farnum <>

History

#1 Updated by Sage Weil almost 12 years ago

I can't find 'if (*p)' anywhere in osdc/Objecter.cc... what commit was this on?

#2 Updated by Sage Weil almost 12 years ago

nevermind, wrong branch

#3 Updated by Sage Weil almost 12 years ago

  • Assignee set to Sage Weil
  • Target version set to v0.42

#4 Updated by Sage Weil almost 12 years ago

  • Status changed from New to 4

wip-1986

#5 Updated by Sage Weil almost 12 years ago

  • Status changed from 4 to Resolved

Also available in: Atom PDF