uss/svc: fix double free on xdata dictionary

we were taking unref on wrong dictionary which results
in wrong memory access.

Change-Id: Ic25a6c209ecd72c9056dfcb79fabcfc650dd3c1e
BUG: 1467513
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
Reviewed-on: https://review.gluster.org/17691
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Smoke: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>

2 files changed, 20 insertions, 8 deletions

diff --git a/xlators/features/snapview-client/src/snapview-client.c b/xlators/features/snapview-client/src/snapview-client.c
index 4ec2bd87c28..dafd3d356f4 100644
--- a/xlators/features/snapview-client/src/snapview-client.c
+++ b/xlators/features/snapview-client/src/snapview-client.c
@@ -1661,14 +1661,12 @@ gf_svc_readdirp_lookup_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
 
         local = frame->local;
 
-        if (local->xdata != NULL)
-                dict_unref (xdata);
-
         if (op_ret) {
                 if (op_errno == ESTALE && !local->revalidate) {
                         local->revalidate = 1;
                         ret = gf_svc_special_dir_revalidate_lookup (frame,
-                                                                    this);
+                                                                    this,
+                                                                    xdata);
 
                         if (!ret)
                                 return 0;
@@ -1723,7 +1721,8 @@ out:
 }
 
 int
-gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this)
+gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this,
+                                      dict_t *xdata)
 {
         svc_private_t *private    = NULL;
         svc_local_t   *local      = NULL;
@@ -1740,6 +1739,15 @@ gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this)
         local = frame->local;
         loc = &local->loc;
 
+        if (local->xdata) {
+                dict_unref (local->xdata);
+                local->xdata = NULL;
+        }
+
+        if (xdata)
+                local->xdata = dict_ref (xdata);
+
+
         inode_unref (loc->inode);
         loc->inode = inode_new (loc->parent->table);
         if (!loc->inode) {
@@ -1878,10 +1886,13 @@ gf_svc_readdir_on_special_dir (call_frame_t *frame, void *cookie,
                 }
 
                 local->cookie = cookie;
-                if (xdata == NULL)
+                if (local->xdata) {
+                        dict_unref (local->xdata);
                         local->xdata = NULL;
-                else
+                }
+                if (xdata)
                         local->xdata = dict_ref (xdata);
+
                 STACK_WIND (frame, gf_svc_readdirp_lookup_cbk,
                             SECOND_CHILD (this),
                             SECOND_CHILD (this)->fops->lookup, loc, tmp_xdata);
diff --git a/xlators/features/snapview-client/src/snapview-client.h b/xlators/features/snapview-client/src/snapview-client.h
index e1fcb371e8c..169974af532 100644
--- a/xlators/features/snapview-client/src/snapview-client.h
+++ b/xlators/features/snapview-client/src/snapview-client.h
@@ -96,6 +96,7 @@ typedef enum {
 } inode_type_t;
 
 int
-gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this);
+gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this,
+                                      dict_t *xdata);
 
 #endif /* __SNAP_VIEW_CLIENT_H__ */