From 63a5125a5220d953bf504daf33694f038403cc7c Mon Sep 17 00:00:00 2001
From: akankshamahajan <akankshamahajan@fb.com>
Date: Thu, 27 Jul 2023 12:02:03 -0700
Subject: [PATCH] Fix use_after_free bug when underlying FS enables kFSBuffer
 (#11645)

Summary:
Fix use_after_free bug in async_io MultiReads when underlying FS enabled kFSBuffer. kFSBuffer is when underlying FS pass their own buffer instead of using RocksDB scratch in FSReadRequest
Since it's an experimental feature, added a hack for now to fix the bug.
Planning to make public API change to remove const from the callback as it doesn't make sense to use const.

Pull Request resolved: https://github.com/facebook/rocksdb/pull/11645

Test Plan: tested locally

Reviewed By: ltamasi

Differential Revision: D47819907

Pulled By: akankshamahajan15

fbshipit-source-id: 1faf5ef795bf27e2b3a60960374d91274931df8d
---
 unreleased_history/bug_fixes/fsbuffer_bug_fix.md | 1 +
 util/async_file_reader.cc                        | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 unreleased_history/bug_fixes/fsbuffer_bug_fix.md

diff --git a/unreleased_history/bug_fixes/fsbuffer_bug_fix.md b/unreleased_history/bug_fixes/fsbuffer_bug_fix.md
new file mode 100644
index 000000000..bec91bc4f
--- /dev/null
+++ b/unreleased_history/bug_fixes/fsbuffer_bug_fix.md
@@ -0,0 +1 @@
+Fix use_after_free bug in async_io MultiReads when underlying FS enabled kFSBuffer. kFSBuffer is when underlying FS pass their own buffer instead of using RocksDB scratch in FSReadRequest. Right now it's an experimental feature.
diff --git a/util/async_file_reader.cc b/util/async_file_reader.cc
index 080c1ae96..9ce13b99f 100644
--- a/util/async_file_reader.cc
+++ b/util/async_file_reader.cc
@@ -26,6 +26,11 @@ bool AsyncFileReader::MultiReadAsyncImpl(ReadAwaiter* awaiter) {
           FSReadRequest* read_req = static_cast<FSReadRequest*>(cb_arg);
           read_req->status = req.status;
           read_req->result = req.result;
+          if (req.fs_scratch != nullptr) {
+            // TODO akanksha: Revisit to remove the const in the callback.
+            FSReadRequest& req_tmp = const_cast<FSReadRequest&>(req);
+            read_req->fs_scratch = std::move(req_tmp.fs_scratch);
+          }
         },
         &awaiter->read_reqs_[i], &awaiter->io_handle_[i], &awaiter->del_fn_[i],
         /*aligned_buf=*/nullptr);