New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shard_reader: background reads out-living the parent reader can access freed range and slice #9719
Milestone
Comments
avikivity
pushed a commit
that referenced
this issue
Dec 2, 2021
The shard reader can outlive its parent reader (the multishard reader). This creates a problem for lifecycle management: readers take the range and slice parameters by reference and users keep these alive until the reader is alive. The shard reader outliving the top-level reader means that any background read-ahead that it has to wait on will potentially have stale references to the range and the slice. This was seen in the wild recently when the evictable reader wrapped by the shard reader hit a use-after-free while wrapping up a background read-ahead. This problem was solved by fa43d76 but any previous versions are susceptible to it. This patch solves this problem by having the shard reader copy and keep the range and slice parameters in stable storage, before passing them further down. Fixes: #9719 Tests: unit(dev) Signed-off-by: Botond Dénes <bdenes@scylladb.com> Message-Id: <20211202113910.484591-1-bdenes@scylladb.com>
denesb
added a commit
that referenced
this issue
Dec 6, 2021
The shard reader can outlive its parent reader (the multishard reader). This creates a problem for lifecycle management: readers take the range and slice parameters by reference and users keep these alive until the reader is alive. The shard reader outliving the top-level reader means that any background read-ahead that it has to wait on will potentially have stale references to the range and the slice. This was seen in the wild recently when the evictable reader wrapped by the shard reader hit a use-after-free while wrapping up a background read-ahead. This problem was solved by fa43d76 but any previous versions are susceptible to it. This patch solves this problem by having the shard reader copy and keep the range and slice parameters in stable storage, before passing them further down. Fixes: #9719 Tests: unit(dev) Signed-off-by: Botond Dénes <bdenes@scylladb.com> Message-Id: <20211202113910.484591-1-bdenes@scylladb.com> (cherry picked from commit 417e853)
Closed by 417e853 (not merged to master as master is not vulnerable). |
Backported to 4.5 (initial merge) 4.4 and 2021.1 |
For posterity: this problem was observed when repairing a cluster which has mismatching shard counts and hence repair falls-back to the non-local reader (which uses the multishard reader, wrapped by a multi-range reader). |
benipeled
pushed a commit
to benipeled/scylla
that referenced
this issue
May 31, 2022
The shard reader can outlive its parent reader (the multishard reader). This creates a problem for lifecycle management: readers take the range and slice parameters by reference and users keep these alive until the reader is alive. The shard reader outliving the top-level reader means that any background read-ahead that it has to wait on will potentially have stale references to the range and the slice. This was seen in the wild recently when the evictable reader wrapped by the shard reader hit a use-after-free while wrapping up a background read-ahead. This problem was solved by fa43d76 but any previous versions are susceptible to it. This patch solves this problem by having the shard reader copy and keep the range and slice parameters in stable storage, before passing them further down. Fixes: scylladb#9719 Tests: unit(dev) Signed-off-by: Botond Dénes <bdenes@scylladb.com> Message-Id: <20211202113910.484591-1-bdenes@scylladb.com> (cherry picked from commit 417e853)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The shard reader can outlive its parent reader (the multishard reader). This creates a problem for lifecycle management: readers take the range and slice parameters by reference and users keep these alive until the reader is alive. The shard reader outliving the top-level reader means that any background read-ahead that it has to wait on will potentially have stale references to the range and the slice. This was seen in the wild recently when the evictable reader wrapped by the shard reader hit a use-after-free while wrapping up a background read-ahead. This problem was solved by fa43d76 but any previous versions are susceptible to it.
Affected versions: < 4.6
The text was updated successfully, but these errors were encountered: