cluster/dht: Fix crash in dht rmdir

Using local->call_cnt to check STACK_WINDs can cause dht_rmdir_do to be called erroneously if dht_rmdir_readdirp_cbk unwinds before we check if local->call_cnt is zero in dht_rmdir_opendir_cbk. This can cause frame corruptions and crashes. Thanks to Shyam (srangana@redhat.com) for the analysis. Change-Id: I5362cf78f97f21b3fade0b9e94d492002a8d4a11 BUG: 1451083 Signed-off-by: N Balachandran <nbalacha@redhat.com> Reviewed-on: https://review.gluster.org/17305 Smoke: Gluster Build System <jenkins@build.gluster.org> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Shyamsundar Ranganathan <srangana@redhat.com>
author: N Balachandran <nbalacha@redhat.com> 2017-05-16 10:26:25 +0530
committer: Shyamsundar Ranganathan <srangana@redhat.com> 2017-05-16 14:03:06 +0000
commit: 6f7d55c9d58797beaf8d5393c03a5a545bed8bec (patch)
tree: 13f72a99153a8e93a628ba4381733ea4e98518b3 /xlators/cluster/dht
parent: 9d70343977aa870004c836a800a5cec11647b409 (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c
index ae7851798ab..af6345ecc2a 100644
--- a/xlators/cluster/dht/src/dht-common.c
+++ b/xlators/cluster/dht/src/dht-common.c
@@ -8519,6 +8519,7 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
         char          gfid[GF_UUID_BUF_SIZE] = {0};
         dht_local_t  *readdirp_local = NULL;
         call_frame_t *readdirp_frame = NULL;
+        int           cnt           = 0;
 
         local = frame->local;
         prev  = cookie;
@@ -8561,7 +8562,7 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
                         "%s: Failed to set dictionary value:key = %s",
                         local->loc.path, conf->link_xattr_name);
 
-        local->call_cnt = conf->subvolume_cnt;
+        cnt = local->call_cnt = conf->subvolume_cnt;
 
 
         /* Create a separate frame per subvol as we might need
@@ -8574,7 +8575,9 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
                 readdirp_frame = copy_frame (frame);
 
                 if (!readdirp_frame) {
-                        local->call_cnt--;
+                        cnt--;
+                        /* Reduce the local->call_cnt as well */
+                        dht_frame_return (frame);
                         continue;
                 }
 
@@ -8583,7 +8586,9 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
 
                 if (!readdirp_local) {
                         DHT_STACK_DESTROY (readdirp_frame);
-                        local->call_cnt--;
+                        cnt--;
+                        /* Reduce the local->call_cnt as well */
+                        dht_frame_return (frame);
                         continue;
                 }
                 readdirp_local->main_frame = frame;
@@ -8603,7 +8608,8 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
                 dict_unref (dict);
 
         /* Could not wind readdirp to any subvol */
-        if (!local->call_cnt)
+
+        if (!cnt)
                 goto err;
 
         return 0;
author	N Balachandran <nbalacha@redhat.com>	2017-05-16 10:26:25 +0530
committer	Shyamsundar Ranganathan <srangana@redhat.com>	2017-05-16 14:03:06 +0000
commit	6f7d55c9d58797beaf8d5393c03a5a545bed8bec (patch)
tree	13f72a99153a8e93a628ba4381733ea4e98518b3 /xlators/cluster/dht
parent	9d70343977aa870004c836a800a5cec11647b409 (diff)