From 102b565fd867b7ef721b481aeb6c8c39d904ecec Mon Sep 17 00:00:00 2001
From: Jiffin Tony Thottan <jthottan@gmail.com>
Date: Mon, 22 Feb 2016 17:20:58 +0530
Subject: gfapi : Avoid double freeing of dict in glfs_*_*getxattr

The dict variable "xattr" is passed to glfs_getxattr_process() and
glfs_listxattr_process() in glfs_*_*getxattrs(). This variable is
unrefed by both functions and again in caller function which may
result in segfault. So it is wrong to call dict_unref() in both
glfs_*xattr_process functions.

Backport reference :
>Change-Id: I227f55ebc3169f58910863c04ae536a8d789e80e
>BUG: 1247603 Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
>Reviewed-on: http://review.gluster.org/13483
>Smoke: Gluster Build System <jenkins@build.gluster.com>
>NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
>CentOS-regression: Gluster Build System <jenkins@build.gluster.com>
>Reviewed-by: Niels de Vos <ndevos@redhat.com>

Change-Id: I2e574ff4b7a095749540bdb9d3593bc1d6275e56
BUG: 1311407
Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Reviewed-on: http://review.gluster.org/13505
Reviewed-by: Prashanth Pai <ppai@redhat.com>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
Smoke: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
---
 api/src/glfs-fops.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/api/src/glfs-fops.c b/api/src/glfs-fops.c
index 2ff1c8cc89d..4437ebf3d29 100644
--- a/api/src/glfs-fops.c
+++ b/api/src/glfs-fops.c
@@ -3132,8 +3132,6 @@ glfs_getxattr_process (void *value, size_t size, dict_t *xattr,
 
 	memcpy (value, data->data, ret);
 out:
-	if (xattr)
-		dict_unref (xattr);
 	return ret;
 }
 
@@ -3194,6 +3192,9 @@ retry:
 out:
 	loc_wipe (&loc);
 
+        if (xattr)
+                dict_unref (xattr);
+
 	glfs_subvol_done (fs, subvol);
 
         __GLFS_EXIT_FS;
@@ -3274,6 +3275,8 @@ out:
 		fd_unref (fd);
         if (glfd)
                 GF_REF_PUT (glfd);
+        if (xattr)
+                dict_unref (xattr);
 
 	glfs_subvol_done (glfd->fs, subvol);
 
@@ -3307,9 +3310,6 @@ glfs_listxattr_process (void *value, size_t size, dict_t *xattr)
 	}
 
 out:
-        if (xattr)
-                dict_unref (xattr);
-
 	return ret;
 }
 
@@ -3358,6 +3358,9 @@ retry:
 out:
 	loc_wipe (&loc);
 
+        if (xattr)
+                dict_unref (xattr);
+
 	glfs_subvol_done (fs, subvol);
 
         __GLFS_EXIT_FS;
@@ -3423,6 +3426,8 @@ out:
 		fd_unref (fd);
         if (glfd)
                 GF_REF_PUT (glfd);
+        if (xattr)
+                dict_unref (xattr);
 
 	glfs_subvol_done (glfd->fs, subvol);
 
-- 
cgit