mds: fix issues with use-after-free in C_Flush_Journal

mchangir · mchangir · commit e1ab8eb78b17 · 2025-03-28T18:02:14.000+05:30
Resolved use-after-free issue of ESubtreeMap. The subtreemap event gets destroyed after it is submitted to the log. MDLog::submit_event() now returns a sequence number of the submitted event. Fixes: https://tracker.ceph.com/issues/69953 Signed-off-by: Milind Changire <mchangir@redhat.com>
diff --git a/src/mds/MDLog.cc b/src/mds/MDLog.cc
@@ -389,7 +389,7 @@ LogSegment* MDLog::_start_new_segment(SegmentBoundary* sb)
   return ls;
 }
 
-void MDLog::_submit_entry(LogEvent *le, MDSLogContextBase* c)
+LogSegment::seq_t MDLog::_submit_entry(LogEvent *le, MDSLogContextBase* c)
 {
   dout(20) << __func__ << " " << *le << dendl;
   ceph_assert(ceph_mutex_is_locked_by_me(mds->mds_lock));
@@ -436,6 +436,7 @@ void MDLog::_submit_entry(LogEvent *le, MDSLogContextBase* c)
   }
 
   unflushed++;
+  return event_seq;
 }
 
 void MDLog::_segment_upkeep()
diff --git a/src/mds/MDLog.h b/src/mds/MDLog.h
@@ -136,11 +136,12 @@ class MDLog {
 
   void finish_head_waiters();
 
-  void submit_entry(LogEvent *e, MDSLogContextBase* c = 0) {
+  LogSegment::seq_t submit_entry(LogEvent *e, MDSLogContextBase* c = 0) {
     std::lock_guard l(submit_mutex);
-    _submit_entry(e, c);
+    auto seq = _submit_entry(e, c);
     _segment_upkeep();
     submit_cond.notify_all();
+    return seq;
   }
 
   void wait_for_safe(Context* c);
@@ -293,7 +294,7 @@ class MDLog {
   void try_to_commit_open_file_table(uint64_t last_seq);
   LogSegment* _start_new_segment(SegmentBoundary* sb);
   void _segment_upkeep();
-  void _submit_entry(LogEvent* e, MDSLogContextBase* c);
+  LogSegment::seq_t _submit_entry(LogEvent* e, MDSLogContextBase* c);
 
   void try_expire(LogSegment *ls, int op_prio);
   void _maybe_expired(LogSegment *ls, int op_prio);
diff --git a/src/mds/MDSRank.cc b/src/mds/MDSRank.cc
@@ -98,8 +98,7 @@ class C_Flush_Journal : public MDSInternalContext {
     // I need to seal off the current segment, and then mark all
     // previous segments for expiry
     auto* sle = mdcache->create_subtree_map();
-    mdlog->submit_entry(sle);
-    seq = sle->get_seq();
+    seq = mdlog->submit_entry(sle);
 
     Context *ctx = new LambdaContext([this](int r) {
         handle_clear_mdlog(r);

Original file line number	Diff line number	Diff line change
`@@ -389,7 +389,7 @@ LogSegment* MDLog::_start_new_segment(SegmentBoundary* sb)`
`389`	`389`	`return ls;`
`390`	`390`	`}`
`391`	`391`
`392`		`-void MDLog::_submit_entry(LogEvent le, MDSLogContextBase c)`
	`392`	`+LogSegment::seq_t MDLog::_submit_entry(LogEvent le, MDSLogContextBase c)`
`393`	`393`	`{`
`394`	`394`	`dout(20) << __func__ << " " << *le << dendl;`
`395`	`395`	`ceph_assert(ceph_mutex_is_locked_by_me(mds->mds_lock));`
`@@ -436,6 +436,7 @@ void MDLog::_submit_entry(LogEvent le, MDSLogContextBase c)`
`436`	`436`	`}`
`437`	`437`
`438`	`438`	`unflushed++;`
	`439`	`+ return event_seq;`
`439`	`440`	`}`
`440`	`441`
`441`	`442`	`void MDLog::_segment_upkeep()`