diff options
| author | Ravishankar N <ravishankar@redhat.com> | 2017-02-02 16:41:45 +0530 |
|---|---|---|
| committer | Pranith Kumar Karampuri <pkarampu@redhat.com> | 2017-02-13 06:29:23 -0500 |
| commit | 25fc74f9d1f2b1e7bab76485a99f27abadd10b7b (patch) | |
| tree | 3d181b0e15df7ad4705fed5870aabec3af156076 /xlators/protocol/client/src/client-rpc-fops.c | |
| parent | c6304c339104b0655473ee928659fdc4fa7cb2d9 (diff) | |
protocol/client: Fix double free of client fdctx destroy
This patch fixes the race between fd re-open code and fd release code,
both of which free the fd context due to a race in certain variable
checks as explained below:
1. client process (shd in the case of this BZ) sends an opendir to its
children (client xlators) which send the fop to the bricks to get a valid fd.
2. Client xlator loses connection to the brick. fdctx->remotefd is -1
3. Client re-establishes connection. After handshake, it reopens the dir
and sets fdctx->remotefd to a valid fd in client3_3_reopendir_cbk().
4. Meanwhile, shd sends a fd unref after it is done with the opendir.
This triggers a releasedir (since fd->refcount becomes 0).
5. client3_3_releasedir() sees that fdctx-->remotefd is a valid number
(i.e not -1), sets fdctx->released=1 and calls client_fdctx_destroy()
6. As a continuation of step3, client_reopen_done() is called by
client3_3_reopendir_cbk(), which sees that fdctx->released==1 and
again calls client_fdctx_destroy().
Depending on when step-5 does GF_FREE(fdctx), we may crash at any place in
step-6 in client3_3_reopendir_cbk() when it tries to access
fdctx->{whatever}.
Change-Id: Ia50873d11763e084e41d2a1f4d53715438e5e947
BUG: 1418629
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
Reviewed-on: https://review.gluster.org/16521
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
Smoke: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Pranith Kumar Karampuri <pkarampu@redhat.com>
Diffstat (limited to 'xlators/protocol/client/src/client-rpc-fops.c')
| -rw-r--r-- | xlators/protocol/client/src/client-rpc-fops.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/xlators/protocol/client/src/client-rpc-fops.c b/xlators/protocol/client/src/client-rpc-fops.c index c260ac211ef..37d119fc08c 100644 --- a/xlators/protocol/client/src/client-rpc-fops.c +++ b/xlators/protocol/client/src/client-rpc-fops.c @@ -3299,6 +3299,7 @@ client3_3_releasedir (call_frame_t *frame, xlator_t *this, clnt_fd_ctx_t *fdctx = NULL; clnt_args_t *args = NULL; int64_t remote_fd = -1; + gf_boolean_t destroy = _gf_false; if (!this || !data) goto out; @@ -3317,16 +3318,19 @@ client3_3_releasedir (call_frame_t *frame, xlator_t *this, reopen_cbk handle releasing */ - if (remote_fd != -1) + if (remote_fd == -1) { + fdctx->released = 1; + } else { list_del_init (&fdctx->sfd_pos); - - fdctx->released = 1; + destroy = _gf_true; + } } } pthread_mutex_unlock (&conf->lock); - if (remote_fd != -1) + if (destroy) client_fdctx_destroy (this, fdctx); + out: return 0; @@ -3341,6 +3345,7 @@ client3_3_release (call_frame_t *frame, xlator_t *this, clnt_fd_ctx_t *fdctx = NULL; clnt_args_t *args = NULL; lk_heal_state_t lk_heal_state = GF_LK_HEAL_DONE; + gf_boolean_t destroy = _gf_false; if (!this || !data) goto out; @@ -3359,17 +3364,17 @@ client3_3_release (call_frame_t *frame, xlator_t *this, in progress. Just mark ->released = 1 and let reopen_cbk handle releasing */ - - if (remote_fd != -1 && - lk_heal_state == GF_LK_HEAL_DONE) + if (remote_fd == -1) { + fdctx->released = 1; + } else if (lk_heal_state == GF_LK_HEAL_DONE) { list_del_init (&fdctx->sfd_pos); - - fdctx->released = 1; + destroy = _gf_true; + } } } pthread_mutex_unlock (&conf->lock); - if (remote_fd != -1 && lk_heal_state == GF_LK_HEAL_DONE) + if (destroy) client_fdctx_destroy (this, fdctx); out: return 0; |