From abd7b1393294d29eef6913e7f93ab76040c90428 Mon Sep 17 00:00:00 2001
From: Mohit Agrawal <moagrawal@redhat.com>
Date: Tue, 24 Jul 2018 14:48:35 +0530
Subject: rpc: rpc_clnt_connection_cleanup is crashed due to double free

Problem: gfapi client is getting crashed in rpc_clnt_connection_cleanup
         at the time of destroying saved_frames

Solution: gfapi client is getting crashed because saved_frame ptr is
          already freed in rpc_clnt_destroy.To avoid the same update
          code in rpc_clnt_destroy

Change-Id: Id8cce102b49f26cfd86ef88257032ed98f43192b
fixes: bz#1607783
Signed-off-by: Mohit Agrawal <moagrawal@redhat.com>
---
 rpc/rpc-lib/src/rpc-clnt.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'rpc/rpc-lib')

diff --git a/rpc/rpc-lib/src/rpc-clnt.c b/rpc/rpc-lib/src/rpc-clnt.c
index 330a96837e6..232101c301e 100644
--- a/rpc/rpc-lib/src/rpc-clnt.c
+++ b/rpc/rpc-lib/src/rpc-clnt.c
@@ -1824,14 +1824,28 @@ rpc_clnt_trigger_destroy (struct rpc_clnt *rpc)
 static void
 rpc_clnt_destroy (struct rpc_clnt *rpc)
 {
-        rpcclnt_cb_program_t *program = NULL;
-        rpcclnt_cb_program_t *tmp = NULL;
+        rpcclnt_cb_program_t   *program = NULL;
+        rpcclnt_cb_program_t   *tmp = NULL;
+        struct saved_frames    *saved_frames = NULL;
+        rpc_clnt_connection_t  *conn = NULL;
 
         if (!rpc)
                 return;
 
+        conn = &rpc->conn;
         GF_FREE (rpc->conn.name);
-        saved_frames_destroy (rpc->conn.saved_frames);
+        /* Access saved_frames in critical-section to avoid
+           crash in rpc_clnt_connection_cleanup at the time
+           of destroying saved frames
+        */
+        pthread_mutex_lock (&conn->lock);
+        {
+                saved_frames = conn->saved_frames;
+                conn->saved_frames = NULL;
+        }
+        pthread_mutex_unlock (&conn->lock);
+
+        saved_frames_destroy (saved_frames);
         pthread_mutex_destroy (&rpc->lock);
         pthread_mutex_destroy (&rpc->conn.lock);
 
-- 
cgit