From f747d55a7fd364e2b9a74fe40360ab3cb7b11537 Mon Sep 17 00:00:00 2001
From: Zhang Huan <zhanghuan@open-fs.com>
Date: Tue, 8 Jan 2019 16:17:06 +0800
Subject: socket: fix issue on concurrent handle of a socket

Found an issue on concurrent invoke of event handler to the same socket
fd, causing memory corruption. This issue arises after applying commit
"socket: Remove redundant in_lock in incoming message handling" that
removes priv->in_lock to serialize socket read.

The following call sequence describes how concurrent socket event handle
happens.
   thread 1                    thread 2                thread 3
epoll_wait() return
(slot->in_handler is 0)  call select_on_epoll()
                         and epoll_ctl() on fd
                                                    epoll_wait() return
slot->in_handler++
(slot->in_handler is 1)
                                                    slot->in_handler++
                                                    (slot->in_handler is 2)
call handler()                                      call handler()

Fix this issue by skip invoke of handler if there is already a handler
inprogress.

Change-Id: I437126ac772debcadb00993a948919c931cd607b
updates: bz#1467614
Signed-off-by: Zhang Huan <zhanghuan@open-fs.com>
---
 libglusterfs/src/event-epoll.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'libglusterfs/src')

diff --git a/libglusterfs/src/event-epoll.c b/libglusterfs/src/event-epoll.c
index 38acdadbe00..dcaf9804529 100644
--- a/libglusterfs/src/event-epoll.c
+++ b/libglusterfs/src/event-epoll.c
@@ -623,6 +623,12 @@ event_dispatch_epoll_handler(struct event_pool *event_pool,
         handler = slot->handler;
         data = slot->data;
 
+        if (slot->in_handler > 0) {
+            /* Another handler is inprogress, skip this one. */
+            handler = NULL;
+            goto pre_unlock;
+        }
+
         if (slot->handled_error) {
             handled_error_previously = _gf_true;
         } else {
-- 
cgit