From daed52b8ebcac7ef36f11e944f83826f46593867 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Fri, 23 Jun 2017 10:01:27 +0200
Subject: nfs: make nfs3_call_state_t refcounted

There is no refcounting done of the nfs3_call_state_t structure, which
seems to result in use-after-free problems in the NLM part of
Gluster/NFS. The structure is initialized with two different functions,
it is easier to have a single place to do this.

The Gluster/NFS part will not use the refcounting, for now. This is
being added to make the NLM code more stable. nfs3_call_state_wipe()
will behave as before for Gluster/NFS, but cleanup is triggered through
the refcounting now. This prevents major changes to the stable part of
the NFS-server, and makes it possible to improve the NLM component
separately.

Change-Id: I2e15bcf12af74e8a46c2727e4a160e9444d29ece
BUG: 1467313
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: https://review.gluster.org/17696
Smoke: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Amar Tumballi <amarts@redhat.com>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: jiffin tony Thottan <jthottan@redhat.com>
---
 xlators/nfs/server/src/nlm4.c | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

(limited to 'xlators/nfs/server/src/nlm4.c')

diff --git a/xlators/nfs/server/src/nlm4.c b/xlators/nfs/server/src/nlm4.c
index 281eaee5fab..d0478f6250e 100644
--- a/xlators/nfs/server/src/nlm4.c
+++ b/xlators/nfs/server/src/nlm4.c
@@ -48,6 +48,9 @@ typedef ssize_t (*nlm4_serializer) (struct iovec outmsg, void *args);
 
 extern void nfs3_call_state_wipe (nfs3_call_state_t *cs);
 
+nfs3_call_state_t *
+nfs3_call_state_init (struct nfs3_state *s, rpcsvc_request_t *req, xlator_t *v);
+
 struct list_head nlm_client_list;
 gf_lock_t nlm_client_list_lk;
 
@@ -67,9 +70,6 @@ int nlm_grace_period = 50;
                 }                                                       \
         } while (0);                                                    \
 
-nfs3_call_state_t *
-nfs3_call_state_init (struct nfs3_state *s, rpcsvc_request_t *req, xlator_t *v);
-
 #define nlm4_handle_call_state_init(nfs3state, calls, rq, opstat, errlabel)\
         do {                                                            \
                 calls = nlm4_call_state_init ((nfs3state), (rq));       \
@@ -267,17 +267,10 @@ nlm4_call_state_init (struct nfs3_state *s, rpcsvc_request_t *req)
         if ((!s) || (!req))
                 return NULL;
 
-        cs = (nfs3_call_state_t *) mem_get (s->localpool);
+        cs = nfs3_call_state_init (s, req, NULL);
         if (!cs)
                 return NULL;
 
-        memset (cs, 0, sizeof (*cs));
-        INIT_LIST_HEAD (&cs->entries.list);
-        INIT_LIST_HEAD (&cs->openwait_q);
-        cs->operrno = EINVAL;
-        cs->req = req;
-        cs->nfsx = s->nfsx;
-        cs->nfs3state = s;
         cs->monitor = 1;
 
         return cs;
-- 
cgit