From 1acb99bc78e827a34592dd1c41f3fd4cea11b14f Mon Sep 17 00:00:00 2001 From: Mohammed Rafi KC Date: Wed, 30 Mar 2016 17:42:44 +0530 Subject: glusterd/syncop: double free of frame stack Backport of http://review.gluster.org/13854 If rpc message from glusterd during brick op phase fails without sending, then frame was freed from the caller function and call back function. >Change-Id: I63cb3be30074e9a074f6895faa25b3d091f5b6a5 >BUG: 1322262 >Signed-off-by: Mohammed Rafi KC >Reviewed-on: http://review.gluster.org/13854 >Smoke: Gluster Build System >NetBSD-regression: NetBSD Build System >CentOS-regression: Gluster Build System >Reviewed-by: Jeff Darcy Change-Id: I39b32f64fd66ee8a6d30c60bb0a42faa45e78814 BUG: 1395245 Signed-off-by: Mohammed Rafi KC Reviewed-on: http://review.gluster.org/15917 NetBSD-regression: NetBSD Build System CentOS-regression: Gluster Build System Smoke: Gluster Build System Reviewed-by: Atin Mukherjee --- xlators/mgmt/glusterd/src/glusterd-mgmt.c | 41 +++++++++++++++++------- xlators/mgmt/glusterd/src/glusterd-syncop.c | 48 +++++++++++++++++++++-------- 2 files changed, 65 insertions(+), 24 deletions(-) (limited to 'xlators/mgmt/glusterd/src') diff --git a/xlators/mgmt/glusterd/src/glusterd-mgmt.c b/xlators/mgmt/glusterd/src/glusterd-mgmt.c index c5e942296c8..7b80d8322ec 100644 --- a/xlators/mgmt/glusterd/src/glusterd-mgmt.c +++ b/xlators/mgmt/glusterd/src/glusterd-mgmt.c @@ -480,7 +480,11 @@ out: if (rsp.dict.dict_val) free (rsp.dict.dict_val); - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -780,8 +784,11 @@ out: if (rsp.op_errstr) free (rsp.op_errstr); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -1068,8 +1075,11 @@ out: if (rsp.dict.dict_val) free (rsp.dict.dict_val); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -1314,8 +1324,11 @@ out: gd_mgmt_v3_collate_errors (args, op_ret, op_errno, rsp.op_errstr, GLUSTERD_MGMT_V3_COMMIT, *peerid, rsp.uuid); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -1542,8 +1555,11 @@ out: if (rsp.dict.dict_val) free (rsp.dict.dict_val); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -1758,8 +1774,11 @@ out: if (rsp.dict.dict_val) free (rsp.dict.dict_val); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } diff --git a/xlators/mgmt/glusterd/src/glusterd-syncop.c b/xlators/mgmt/glusterd/src/glusterd-syncop.c index 8ff7bdea818..32c9a75cb5f 100644 --- a/xlators/mgmt/glusterd/src/glusterd-syncop.c +++ b/xlators/mgmt/glusterd/src/glusterd-syncop.c @@ -363,8 +363,11 @@ out: GLUSTERD_MGMT_V3_LOCK, *peerid, rsp.uuid); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -465,8 +468,11 @@ out: GLUSTERD_MGMT_V3_UNLOCK, *peerid, rsp.uuid); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -578,8 +584,11 @@ out: GLUSTERD_MGMT_CLUSTER_LOCK, *peerid, rsp.uuid); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -672,8 +681,11 @@ out: GLUSTERD_MGMT_CLUSTER_UNLOCK, *peerid, rsp.uuid); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -801,8 +813,11 @@ out: if (rsp_dict) dict_unref (rsp_dict); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; } @@ -910,7 +925,11 @@ out: free (rsp.op_errstr); free (rsp.output.output_val); - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); __wake (args); return 0; @@ -1087,8 +1106,11 @@ out: if (rsp_dict) dict_unref (rsp_dict); GF_FREE (peerid); - - STACK_DESTROY (frame->root); + /* req->rpc_status set to -1 means, STACK_DESTROY will be called from + * the caller function. + */ + if (req->rpc_status != -1) + STACK_DESTROY (frame->root); synctask_barrier_wake(args); return 0; -- cgit