common: OpTracker doesn't visit TrackedOp when nref == 0.

The patch fixes a race condition that happens between `unregister_inflight_op` and `visit_ops_in_flight` of `OpTracker`. When a callable passed to the former one turns the plain reference it gets into `TrackedOpRef`, an almost-to-terminate `TrackedOp` (with `nref == 0`) can be resurrected (`nref++`). This will be reflected in extra call to `unregister_inflight_op` for same op leading to e.g. use-after-free. For more details see: https://tracker.ceph.com/issues/24037#note-5. The fix deals with the problem by ensuring there will be no call to the visitor for ops with zeroized `nref`. Fixes: http://tracker.ceph.com/issues/24037 Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
2024-12-18 09:25:49 +00:00 · 2018-05-22 15:50:44 +02:00 · 2018-05-22 15:50:44 +02:00 · 574aeb8130
commit 574aeb8130
parent ea205e1cbb
1 changed files with 1 additions and 1 deletions
--- a/src/common/TrackedOp.cc
+++ b/src/common/TrackedOp.cc
@ -328,7 +328,7 @@ bool OpTracker::visit_ops_in_flight(utime_t* oldest_secs,
    assert(NULL != sdata);
    Mutex::Locker locker(sdata->ops_in_flight_lock_sharded);
    for (auto& op : sdata->ops_in_flight_sharded) {
-      if (!visit(op))
+      if (op.nref > 0 && !visit(op))
 	break;
    }
  }