Actions
Bug #43814
closedcommon/bl: claim_append() corrupts memory when a bl consecutively has at least two unshareable bptrs
% Done:
0%
Source:
Development
Tags:
Backport:
nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Description
For sharable buffer::raw instances the problem doesn't exist.
For single or two-but-non-consecutively-placed non-sharable ones the problem is self-healing.
For at least two consecutively-placed non-sharable ones `erase_after_and_dispose()` is called with broken pointer leading to memory corruption.
commit 374048ec833a3adc66704f4a05fe3eb8205e830b
Author: Radoslaw Zarzynski <rzarzyns@redhat.com>
Date: Fri Jan 24 09:15:13 2020 +0100
bl, DEBUG: hunt for the potential issue in claim_append().
Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
diff --git a/src/common/buffer.cc b/src/common/buffer.cc
index ddd1056..37c7242 100644
--- a/src/common/buffer.cc
+++ b/src/common/buffer.cc
@@ -1303,7 +1303,10 @@ static ceph::spinlock debug_lock;
if (unlikely(raw && !raw->is_shareable())) {
auto* clone = ptr_node::copy_hypercombined(*curbuf);
curbuf = bl._buffers.erase_after_and_dispose(curbuf_prev);
+ auto canary = curbuf_prev;
bl._buffers.insert_after(curbuf_prev++, *clone);
+ ++canary;
+ ceph_assert_always(canary == curbuf_prev);
} else {
curbuf_prev = curbuf++;
}
Updated by Radoslaw Zarzynski over 4 years ago
- Description updated (diff)
- Status changed from In Progress to Fix Under Review
Updated by Sage Weil about 4 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Nathan Cutler about 4 years ago
- Copied to Backport #43920: nautilus: common/bl: claim_append() corrupts memory when a bl consecutively has at least two unshareable bptrs added
Updated by Nathan Cutler almost 4 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".
Actions