From e45f9943e321324988f36eca9dbd4dbd8536b17c Mon Sep 17 00:00:00 2001 From: Pranith Kumar K Date: Tue, 7 Jul 2015 12:40:42 +0530 Subject: cluster/ec: Fix use after free bug In ec_lock() there is a chance that ec_resume is called on fop even before ec_sleep. This can result in refs == 0 for fop leading to use after free in this function when it calls ec_sleep so do ec_sleep at start and ec_resume at end of this function. Change-Id: I879b2667bf71eaa56be1b53b5bdc91b7bb56c650 BUG: 1240284 Signed-off-by: Pranith Kumar K Reviewed-on: http://review.gluster.org/11558 Reviewed-by: Xavier Hernandez Tested-by: Gluster Build System Tested-by: NetBSD Build System --- xlators/cluster/ec/src/ec-common.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'xlators/cluster/ec/src/ec-common.c') diff --git a/xlators/cluster/ec/src/ec-common.c b/xlators/cluster/ec/src/ec-common.c index 8d1196dd0c3..41adbb4c508 100644 --- a/xlators/cluster/ec/src/ec-common.c +++ b/xlators/cluster/ec/src/ec-common.c @@ -244,6 +244,7 @@ void ec_sleep(ec_fop_data_t *fop) { LOCK(&fop->lock); + GF_ASSERT (fop->refs > 0); fop->refs++; fop->jobs++; @@ -1319,6 +1320,12 @@ void ec_lock(ec_fop_data_t *fop) ec_lock_link_t *timer_link = NULL; ec_lock_t *lock; + /* There is a chance that ec_resume is called on fop even before ec_sleep. + * Which can result in refs == 0 for fop leading to use after free in this + * function when it calls ec_sleep so do ec_sleep at start and ec_resume at + * the end of this function.*/ + ec_sleep (fop); + while (fop->locked < fop->lock_count) { /* Since there are only up to 2 locks per fop, this xor will change * the order of the locks if fop->first_lock is 1. */ @@ -1383,6 +1390,7 @@ void ec_lock(ec_fop_data_t *fop) timer_link = NULL; } } + ec_resume (fop, 0); if (timer_link != NULL) { ec_resume(timer_link->fop, 0); -- cgit