From 6fa531c57c633827283fba6a3cdaa1c68976ccb7 Mon Sep 17 00:00:00 2001
From: Bhumika Goyal <bgoyal@redhat.com>
Date: Tue, 7 Aug 2018 15:28:13 +0530
Subject: xlators: protocol: Fix deferencing pointer after free coverity issues

The pointer of type struct iobuf * is getting dereferenced after
getting freed by iobuf_unref function. Therefore, move this function
after all the dereferences of this pointer type.
Also, it is useful coding standard to have iobuf_unref just after
iobref_add. So, move iobref_add too.

Occurences found using Coccinelle script:
@@
identifier rsphdr_iobuf;
expression E;
identifier func;
@@
*iobuf_unref(rsphdr_iobuf);
...
*E = func(rsphdr_iobuf);

Fixes CID: 1390517, 1390278, 1388666, 1356588, 1356587 at [1].
and also some more occurences which were found using the above script but not
caught by Coverity.
[1]. https://scan6.coverity.com/reports.htm#v42388/p10714/fileInstanceId=84384920&defectInstanceId=25600709&mergedDefectId=1388666

Change-Id: I579e9d12698f14e9e24bc926c6efef16bac5c06c
updates: bz#789278
Signed-off-by: Bhumika Goyal <bgoyal@redhat.com>
---
 xlators/protocol/client/src/client-rpc-fops.c | 37 ++++++++++++---------------
 1 file changed, 16 insertions(+), 21 deletions(-)

(limited to 'xlators/protocol/client/src/client-rpc-fops.c')

diff --git a/xlators/protocol/client/src/client-rpc-fops.c b/xlators/protocol/client/src/client-rpc-fops.c
index cf2d913dd71..5c5a96d9178 100644
--- a/xlators/protocol/client/src/client-rpc-fops.c
+++ b/xlators/protocol/client/src/client-rpc-fops.c
@@ -3456,13 +3456,13 @@ client3_3_readlink (call_frame_t *frame, xlator_t *this,
                 goto unwind;
         }
 
-        iobref_add (rsp_iobref, rsp_iobuf);
-        iobuf_unref (rsp_iobuf);
         rsphdr = &vector[0];
         rsphdr->iov_base = iobuf_ptr (rsp_iobuf);
         rsphdr->iov_len = iobuf_pagesize (rsp_iobuf);
         count = 1;
         local->iobref = rsp_iobref;
+        iobref_add (rsp_iobref, rsp_iobuf);
+        iobuf_unref (rsp_iobuf);
         rsp_iobuf = NULL;
         rsp_iobref = NULL;
 
@@ -4029,12 +4029,11 @@ client3_3_readv (call_frame_t *frame, xlator_t *this,
                 goto unwind;
         }
 
-        iobref_add (rsp_iobref, rsp_iobuf);
-        iobuf_unref (rsp_iobuf);
-
         rsp_vec.iov_base = iobuf_ptr (rsp_iobuf);
         rsp_vec.iov_len = iobuf_pagesize (rsp_iobuf);
 
+        iobref_add (rsp_iobref, rsp_iobuf);
+        iobuf_unref (rsp_iobuf);
         rsp_iobuf = NULL;
 
         if (args->size > rsp_vec.iov_len) {
@@ -4555,14 +4554,13 @@ client3_3_fgetxattr (call_frame_t *frame, xlator_t *this,
                 goto unwind;
         }
 
-        iobref_add (rsp_iobref, rsp_iobuf);
-        iobuf_unref (rsp_iobuf);
-
         rsphdr = &vector[0];
         rsphdr->iov_base = iobuf_ptr (rsp_iobuf);
         rsphdr->iov_len = iobuf_pagesize (rsp_iobuf);;
         count = 1;
         local->iobref = rsp_iobref;
+        iobref_add (rsp_iobref, rsp_iobuf);
+        iobuf_unref (rsp_iobuf);
         rsp_iobuf = NULL;
         rsp_iobref = NULL;
 
@@ -4650,14 +4648,13 @@ client3_3_getxattr (call_frame_t *frame, xlator_t *this,
                 goto unwind;
         }
 
-        iobref_add (rsp_iobref, rsp_iobuf);
-        iobuf_unref (rsp_iobuf);
-
         rsphdr = &vector[0];
         rsphdr->iov_base = iobuf_ptr (rsp_iobuf);
         rsphdr->iov_len = iobuf_pagesize (rsp_iobuf);
         count = 1;
         local->iobref = rsp_iobref;
+        iobref_add (rsp_iobref, rsp_iobuf);
+        iobuf_unref (rsp_iobuf);
         rsp_iobuf = NULL;
         rsp_iobref = NULL;
 
@@ -4771,14 +4768,13 @@ client3_3_xattrop (call_frame_t *frame, xlator_t *this,
                 goto unwind;
         }
 
-        iobref_add (rsp_iobref, rsp_iobuf);
-        iobuf_unref (rsp_iobuf);
-
         rsphdr = &vector[0];
         rsphdr->iov_base = iobuf_ptr (rsp_iobuf);
         rsphdr->iov_len = iobuf_pagesize (rsp_iobuf);
         count = 1;
         local->iobref = rsp_iobref;
+        iobref_add (rsp_iobref, rsp_iobuf);
+        iobuf_unref (rsp_iobuf);
         rsp_iobuf = NULL;
         rsp_iobref = NULL;
 
@@ -4872,13 +4868,13 @@ client3_3_fxattrop (call_frame_t *frame, xlator_t *this,
                 goto unwind;
         }
 
-        iobref_add (rsp_iobref, rsp_iobuf);
-        iobuf_unref (rsp_iobuf);
         rsphdr = &vector[0];
         rsphdr->iov_base = iobuf_ptr (rsp_iobuf);
         rsphdr->iov_len = iobuf_pagesize (rsp_iobuf);
         count = 1;
         local->iobref = rsp_iobref;
+        iobref_add (rsp_iobref, rsp_iobuf);
+        iobuf_unref (rsp_iobuf);
         rsp_iobuf = NULL;
         rsp_iobref = NULL;
 
@@ -5485,14 +5481,13 @@ client3_3_readdirp (call_frame_t *frame, xlator_t *this,
                         goto unwind;
                 }
 
-                iobref_add (rsp_iobref, rsp_iobuf);
-                iobuf_unref (rsp_iobuf);
-
                 rsphdr = &vector[0];
                 rsphdr->iov_base = iobuf_ptr (rsp_iobuf);
                 rsphdr->iov_len  = iobuf_pagesize (rsp_iobuf);
                 count = 1;
                 local->iobref = rsp_iobref;
+                iobref_add (rsp_iobref, rsp_iobuf);
+                iobuf_unref (rsp_iobuf);
                 rsp_iobuf = NULL;
                 rsp_iobref = NULL;
         }
@@ -5884,12 +5879,12 @@ client3_3_compound (call_frame_t *frame, xlator_t *this, void *data)
                 goto unwind;
         }
 
-        iobref_add (rsphdr_iobref, rsphdr_iobuf);
-        iobuf_unref (rsphdr_iobuf);
         rsphdr = &vector[0];
         rsphdr->iov_base = iobuf_ptr (rsphdr_iobuf);
         rsphdr->iov_len = iobuf_pagesize (rsphdr_iobuf);
         rsphdr_count = 1;
+        iobref_add (rsphdr_iobref, rsphdr_iobuf);
+        iobuf_unref (rsphdr_iobuf);
         rsphdr_iobuf = NULL;
 
         req.compound_fop_enum = c_args->fop_enum;
-- 
cgit