Actions
Bug #64545
opencrimson: OrderedConcurrentPhase::ExitBarrier::exit() does not guarrantee that phase survives
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
void exit() final { if (barrier) { assert(phase); assert(phase->core == seastar::this_shard_id()); std::ignore = std::move(*barrier ).then([phase=this->phase] { phase->mutex.unlock(); }); barrier = std::nullopt; phase = nullptr; } else if (phase) { assert(phase->core == seastar::this_shard_id()); phase->mutex.unlock(); phase = nullptr; } }
phase->mutex.unlock() can occur significantly after exit() finishes. *phase will generally be embedded in a PG or a Connection, so it's often but not always safe.
https://tracker.ceph.com/issues/63647 was a more dangerous variant because *phase was part of the operation itself.
Updated by Samuel Just 2 months ago
- Related to Bug #64513: crimson: stack-use-after-free in build_incremental_map_msg added
Updated by Samuel Just 2 months ago
- Related to deleted (Bug #64513: crimson: stack-use-after-free in build_incremental_map_msg)
Updated by Samuel Just 2 months ago
- Related to Bug #63647: SnapTrimEvent AddressSanitizer: heap-use-after-free added
Actions