diff options
| author | Krutika Dhananjay <kdhananj@redhat.com> | 2016-10-17 15:13:28 +0530 |
|---|---|---|
| committer | Atin Mukherjee <amukherj@redhat.com> | 2016-10-24 07:11:08 -0700 |
| commit | 41dc5ee07ffba6d17459757abf13fae9f174e6b6 (patch) | |
| tree | 0cc0f68eb02c63300b2e1838ee39152af253ebe5 /rpc/rpc-lib/src/rpc-transport.c | |
| parent | f31b3213e2a97259faa7dcae2354d2535732068b (diff) | |
compound fops: Fix file corruption issue
1. Address of a local variable @args is copied into state->req
in server3_3_compound (). But even after the function has gone out of
scope, in server_compound_resume () this pointer is accessed and
dereferenced. This patch fixes that.
2. Compound fops, by virtue of NOT having a vector sizer (like the one
writev has), ends up having both the header and the data (in case one of
its member fops is WRITEV) in the same hdr_iobuf. This buffer was not
being preserved through the lifetime of the compound fop, causing it to
be overwritten by a parallel write fop, even when the writev associated
with the currently executing compound fop is yet to hit the desk, thereby
corrupting the file's data. This is fixed by associating the hdr_iobuf with
the iobref so its memory remains valid through the lifetime of the fop.
3. Also fixed a use-after-free bug in protocol/client in compound fops cbk,
missed by Linux but caught by NetBSD.
Finally, big thanks to Pranith Kumar K and Raghavendra Gowdappa for their
help in debugging this file corruption issue.
Change-Id: I6d5c04f400ecb687c9403a17a12683a96c2bf122
BUG: 1378778
Signed-off-by: Krutika Dhananjay <kdhananj@redhat.com>
Reviewed-on: http://review.gluster.org/15654
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
Smoke: Gluster Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Diffstat (limited to 'rpc/rpc-lib/src/rpc-transport.c')
| -rw-r--r-- | rpc/rpc-lib/src/rpc-transport.c | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/rpc/rpc-lib/src/rpc-transport.c b/rpc/rpc-lib/src/rpc-transport.c index 005b68c5cbc..6ee5e15ede4 100644 --- a/rpc/rpc-lib/src/rpc-transport.c +++ b/rpc/rpc-lib/src/rpc-transport.c @@ -123,10 +123,6 @@ rpc_transport_pollin_destroy (rpc_transport_pollin_t *pollin) iobref_unref (pollin->iobref); } - if (pollin->hdr_iobuf) { - iobuf_unref (pollin->hdr_iobuf); - } - if (pollin->private) { /* */ GF_FREE (pollin->private); @@ -158,7 +154,7 @@ rpc_transport_pollin_alloc (rpc_transport_t *this, struct iovec *vector, msg->iobref = iobref_ref (iobref); msg->private = private; if (hdr_iobuf) - msg->hdr_iobuf = iobuf_ref (hdr_iobuf); + iobref_add (iobref, hdr_iobuf); out: return msg; |