From 2a60854e8360309347236852989d520a04975e9c Mon Sep 17 00:00:00 2001
From: Raghavendra G <rgowdapp@redhat.com>
Date: Tue, 24 Feb 2015 10:25:16 +0530
Subject: cluster/dht: serialize execution of dht_discover_complete and
 STACK_DESTROY (frame).

In the current code, dht_discover_complete can be invoked because of:
1. attempt_unwind is true
2. we are processing reply from the last subvolume

In scenario 1, following race is possible:

T1: calls dht_frame_return.
T2: calls dht_frame_return. This happens to be last call and hence it
    invokes dht_discover_complete, goes ahead and destroys frame
T1: since attempt_unwind is true, calls
    dht_discover_complete. However, since frame is already freed, call
    to dht_discover_complete can result in a crash.

The fix is to make sure that destruction of the frame is done only by
the thread executing dht_discover_complete.

Change-Id: I45765b90c4a9d0af0b33f8911b564d99e12d099e
BUG: 1195120
Signed-off-by: Raghavendra G <rgowdapp@redhat.com>
Reviewed-on: http://review.gluster.org/9729
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Shyamsundar Ranganathan <srangana@redhat.com>
Reviewed-by: N Balachandran <nbalacha@redhat.com>
---
 xlators/cluster/dht/src/dht-common.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'xlators')

diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c
index 1847b2fe003..47e617230f9 100644
--- a/xlators/cluster/dht/src/dht-common.c
+++ b/xlators/cluster/dht/src/dht-common.c
@@ -363,9 +363,18 @@ dht_discover_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
 unlock:
         UNLOCK (&frame->lock);
 out:
+        /* Make sure, the thread executing dht_discover_complete is the one
+         * which calls STACK_DESTROY (frame). In the case of "attempt_unwind",
+         * this makes sure that the thread don't call dht_frame_return, till
+         * call to dht_discover_complete is done.
+         */
+        if (attempt_unwind) {
+                dht_discover_complete (this, frame);
+        }
+
         this_call_cnt = dht_frame_return (frame);
 
-        if (is_last_call (this_call_cnt) || attempt_unwind) {
+        if (is_last_call (this_call_cnt) && !attempt_unwind) {
                 dht_discover_complete (this, frame);
         }
 
-- 
cgit