client: fix memory leak in Client::CRF_iofinish::complete#60507
client: fix memory leak in Client::CRF_iofinish::complete#60507
Conversation
synarete
added
wip-ssharon-test2
synarete
force-pushed
the
ss-cephfs-asyncio-use-after-free-bugfix
branch
from
d98aa32 to
b479023
Compare
synarete
force-pushed
the
ss-cephfs-asyncio-use-after-free-bugfix
branch
from
b479023 to
a655d80
Compare
|
from what I see is we might also need to audit |
@dparmar18 As far as I can tell from reading the code of |
Yeah but since @batrick mentioned, im wondering if that part is really required since the base class should take care of it, no? |
The code of |
Okay, I guess it might be needed for |
Yea, I think that one really is needed, or if we can find a different way to resolve the Context lifetime. |
since this bug was caused due to some race where the |
synarete
force-pushed
the
ss-cephfs-asyncio-use-after-free-bugfix
branch
4 times, most recently
from
e5d2a37 to
d26c19d
Compare
synarete
force-pushed
the
ss-cephfs-asyncio-use-after-free-bugfix
branch
from
d26c19d to
0c27fe3
Compare
|
I'm suspecting this change to be causing failures reported in #60411 (comment) Will update when I verify that. |
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution! |
|
@dparmar18 This change need to be reviewed and testes. @dparmar18 Mind having a look? I will get to it later today. |
ACK |
|
This patch looks good to me but as @ffilz mentioned in #60507 (comment) that if in case of short reads |
|
I feel we should have a better mechanism of managing context lifetime i.e. independent of |
Yea, lifetime seems mucky... Not sure best way to fix it. |
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
jenkins test make check arm64 |
|
jenkins test make check arm64 |
Commit 1210ddf ("Client: Add non-blocking helper classes") introduced Client::C_Read_Finisher Context object for async READ operations, but it has a read-after-free bug which may cause memory leak when calling libcephf's non-blocking ceph_ll_nonblocking_readv_writev API with async READ: ceph_ll_nonblocking_readv_writev (READ) Client::ll_preadv_pwritev ... Client::_read_async Context::complete Client::CRF_iofinish::complete Client::CRF_iofinish::finish CRF->finish_io() Client::C_Read_Finisher::finish_io ... delete this; // frees CRF_iofinish->CRF if (CRF->iofinished) // use-after-free of CRF delete this; // may not get here A possible memory leak depends on timing and race with other thread allocation which alters the memory address of CRF->iofinished to false, thus skipping the last delete operation. The check of `if (CRF->iofinished)` is unnecessary: it is always set to true upon calling CRF->finish_io(). Thus, there is no need to have the override function Client::CRF_iofinish::complete() as it now has the same logic as Context::complete(). Removed. Signed-off-by: Shachar Sharon <[email protected]>
synarete
force-pushed
the
ss-cephfs-asyncio-use-after-free-bugfix
branch
from
5b89503 to
6dc7756
Compare
|
Testing update: https://tracker.ceph.com/issues/71514#note-12 |
|
@synarete I will backport this fix to squid/tentacle branch with other client side fixes. |
7 participants
Commit 1210ddf ("Client: Add non-blocking helper classes") introduced Client::C_Read_Finisher Context object for async READ operations, but it has a read-after-free bug which may cause memory leak when calling libcephf's non-blocking ceph_ll_nonblocking_readv_writev API with async READ:
ceph_ll_nonblocking_readv_writev (READ)
Client::ll_preadv_pwritev
...
Client::_read_async
Context::complete
Client::CRF_iofinish::complete
Client::CRF_iofinish::finish
CRF->finish_io()
Client::C_Read_Finisher::finish_io
...
delete this; // frees CRF_iofinish->CRF
if (CRF->iofinished) // use-after-free of CRF
delete this; // may not get here
A possible memory leak depends on timing and race with other thread allocation which alters the memory address of CRF->iofinished to false, thus skipping the last delete operation.
The check of
if (CRF->iofinished)is unnecessary: it is always set to true upon calling CRF->finish_io(). Removed.Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windowsjenkins test rook e2e