Bug #43814
Updated by Radoslaw Zarzynski over 4 years ago
For sharable buffer::raw instances the problem doesn't exist. For single or two-but-non-consecutively-placed non-sharable ones the problem is self-healing. For at least two consecutively-placed non-sharable ones `erase_after_and_dispose()` is called with broken pointer leading to memory corruption. <pre> commit 374048ec833a3adc66704f4a05fe3eb8205e830b Author: Radoslaw Zarzynski <rzarzyns@redhat.com> Date: Fri Jan 24 09:15:13 2020 +0100 bl, DEBUG: hunt for the potential issue in claim_append(). Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com> diff --git a/src/common/buffer.cc b/src/common/buffer.cc index ddd1056..37c7242 100644 --- a/src/common/buffer.cc +++ b/src/common/buffer.cc @@ -1303,7 +1303,10 @@ static ceph::spinlock debug_lock; if (unlikely(raw && !raw->is_shareable())) { auto* clone = ptr_node::copy_hypercombined(*curbuf); curbuf = bl._buffers.erase_after_and_dispose(curbuf_prev); + auto canary = curbuf_prev; bl._buffers.insert_after(curbuf_prev++, *clone); + ++canary; + ceph_assert_always(canary == curbuf_prev); } else { curbuf_prev = curbuf++; } </pre>