protocol/client: Fix double free of client fdctx destroy

This patch fixes the race between fd re-open code and fd release code, both of which free the fd context due to a race in certain variable checks as explained below: 1. client process (shd in the case of this BZ) sends an opendir to its children (client xlators) which send the fop to the bricks to get a valid fd. 2. Client xlator loses connection to the brick. fdctx->remotefd is -1 3. Client re-establishes connection. After handshake, it reopens the dir and sets fdctx->remotefd to a valid fd in client3_3_reopendir_cbk(). 4. Meanwhile, shd sends a fd unref after it is done with the opendir. This triggers a releasedir (since fd->refcount becomes 0). 5. client3_3_releasedir() sees that fdctx-->remotefd is a valid number (i.e not -1), sets fdctx->released=1 and calls client_fdctx_destroy() 6. As a continuation of step3, client_reopen_done() is called by client3_3_reopendir_cbk(), which sees that fdctx->released==1 and again calls client_fdctx_destroy(). Depending on when step-5 does GF_FREE(fdctx), we may crash at any place in step-6 in client3_3_reopendir_cbk() when it tries to access fdctx->{whatever}. > Reviewed-on: https://review.gluster.org/16521 > CentOS-regression: Gluster Build System <jenkins@build.gluster.org> > NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> > Smoke: Gluster Build System <jenkins@build.gluster.org> > Reviewed-by: Pranith Kumar Karampuri <pkarampu@redhat.com> (cherry picked from commit 25fc74f9d1f2b1e7bab76485a99f27abadd10b7b) Change-Id: Ia50873d11763e084e41d2a1f4d53715438e5e947 BUG: 1422350 Signed-off-by: Ravishankar N <ravishankar@redhat.com> Reviewed-on: https://review.gluster.org/16619 Smoke: Gluster Build System <jenkins@build.gluster.org> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Shyamsundar Ranganathan <srangana@redhat.com>
author: Ravishankar N <ravishankar@redhat.com> 2017-02-02 16:41:45 +0530
committer: Shyamsundar Ranganathan <srangana@redhat.com> 2017-02-15 07:33:24 -0500
commit: 5d8951afdc083008ad1d6f930291b36dca86c94f (patch)
tree: 22545b0a1de8664afb0f7ed5d7936396af35c3c3 /xlators/protocol/client/src/client-rpc-fops.c
parent: 8de5213db8771088ae214d42bcae056e409d7b6a (diff)
1 files changed, 15 insertions, 10 deletions
diff --git a/xlators/protocol/client/src/client-rpc-fops.c b/xlators/protocol/client/src/client-rpc-fops.c
index c260ac211ef..37d119fc08c 100644
--- a/xlators/protocol/client/src/client-rpc-fops.c
+++ b/xlators/protocol/client/src/client-rpc-fops.c
@@ -3299,6 +3299,7 @@ client3_3_releasedir (call_frame_t *frame, xlator_t *this,
         clnt_fd_ctx_t       *fdctx       = NULL;
         clnt_args_t         *args        = NULL;
         int64_t              remote_fd   = -1;
+        gf_boolean_t         destroy     = _gf_false;
 
         if (!this || !data)
                 goto out;
@@ -3317,16 +3318,19 @@ client3_3_releasedir (call_frame_t *frame, xlator_t *this,
                            reopen_cbk handle releasing
                         */
 
-                        if (remote_fd != -1)
+                        if (remote_fd == -1) {
+                                fdctx->released = 1;
+                        } else {
                                 list_del_init (&fdctx->sfd_pos);
-
-                        fdctx->released = 1;
+                                destroy = _gf_true;
+                        }
                 }
         }
         pthread_mutex_unlock (&conf->lock);
 
-        if (remote_fd != -1)
+        if (destroy)
                 client_fdctx_destroy (this, fdctx);
+
 out:
 
         return 0;
@@ -3341,6 +3345,7 @@ client3_3_release (call_frame_t *frame, xlator_t *this,
         clnt_fd_ctx_t    *fdctx         = NULL;
         clnt_args_t      *args          = NULL;
         lk_heal_state_t   lk_heal_state = GF_LK_HEAL_DONE;
+        gf_boolean_t      destroy       = _gf_false;
 
         if (!this || !data)
                 goto out;
@@ -3359,17 +3364,17 @@ client3_3_release (call_frame_t *frame, xlator_t *this,
                            in progress. Just mark ->released = 1 and let
                            reopen_cbk handle releasing
                         */
-
-                        if (remote_fd != -1 &&
-                            lk_heal_state == GF_LK_HEAL_DONE)
+                        if (remote_fd == -1) {
+                                fdctx->released = 1;
+                        } else if (lk_heal_state == GF_LK_HEAL_DONE) {
                                 list_del_init (&fdctx->sfd_pos);
-
-                        fdctx->released = 1;
+                                destroy = _gf_true;
+                        }
                 }
         }
         pthread_mutex_unlock (&conf->lock);
 
-        if (remote_fd != -1 && lk_heal_state == GF_LK_HEAL_DONE)
+        if (destroy)
                 client_fdctx_destroy (this, fdctx);
 out:
         return 0;
author	Ravishankar N <ravishankar@redhat.com>	2017-02-02 16:41:45 +0530
committer	Shyamsundar Ranganathan <srangana@redhat.com>	2017-02-15 07:33:24 -0500
commit	5d8951afdc083008ad1d6f930291b36dca86c94f (patch)
tree	22545b0a1de8664afb0f7ed5d7936396af35c3c3 /xlators/protocol/client/src/client-rpc-fops.c
parent	8de5213db8771088ae214d42bcae056e409d7b6a (diff)