Actions
Bug #43814
closedcommon/bl: claim_append() corrupts memory when a bl consecutively has at least two unshareable bptrs
% Done:
0%
Source:
Development
Tags:
Backport:
nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Description
For sharable buffer::raw instances the problem doesn't exist.
For single or two-but-non-consecutively-placed non-sharable ones the problem is self-healing.
For at least two consecutively-placed non-sharable ones `erase_after_and_dispose()` is called with broken pointer leading to memory corruption.
commit 374048ec833a3adc66704f4a05fe3eb8205e830b Author: Radoslaw Zarzynski <rzarzyns@redhat.com> Date: Fri Jan 24 09:15:13 2020 +0100 bl, DEBUG: hunt for the potential issue in claim_append(). Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com> diff --git a/src/common/buffer.cc b/src/common/buffer.cc index ddd1056..37c7242 100644 --- a/src/common/buffer.cc +++ b/src/common/buffer.cc @@ -1303,7 +1303,10 @@ static ceph::spinlock debug_lock; if (unlikely(raw && !raw->is_shareable())) { auto* clone = ptr_node::copy_hypercombined(*curbuf); curbuf = bl._buffers.erase_after_and_dispose(curbuf_prev); + auto canary = curbuf_prev; bl._buffers.insert_after(curbuf_prev++, *clone); + ++canary; + ceph_assert_always(canary == curbuf_prev); } else { curbuf_prev = curbuf++; }
Updated by Radoslaw Zarzynski over 4 years ago
- Description updated (diff)
- Status changed from In Progress to Fix Under Review
Updated by Sage Weil about 4 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Nathan Cutler about 4 years ago
- Copied to Backport #43920: nautilus: common/bl: claim_append() corrupts memory when a bl consecutively has at least two unshareable bptrs added
Updated by Nathan Cutler almost 4 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".
Actions