|
 |
887953 |
From 870513f9bade449fa760a81e242102860a0fdc91 Mon Sep 17 00:00:00 2001
|
|
|
887953 |
From: N Balachandran <nbalacha@redhat.com>
|
|
|
887953 |
Date: Thu, 13 Dec 2018 10:54:15 +0530
|
|
|
887953 |
Subject: [PATCH 470/493] dht: fix use after free in dht_rmdir_readdirp_cbk
|
|
|
887953 |
|
|
|
887953 |
The frame is freed when linkfile exist in dht_rmdir_is_subvol_empty(),
|
|
|
887953 |
the following message use the freed local.
|
|
|
887953 |
|
|
|
887953 |
upstream patch: https://review.gluster.org/#/c/glusterfs/+/21446/
|
|
|
887953 |
|
|
|
887953 |
> Change-Id: I41191e8bd477f031a2444d5f15e578dc4f086e6b
|
|
|
887953 |
> Updates: bz#1640489
|
|
|
887953 |
> Signed-off-by: Kinglong Mee <mijinlong@open-fs.com>
|
|
|
887953 |
|
|
|
887953 |
Change-Id: Ia257e1da57cc486ab336e43f8e88187e984c70e2
|
|
|
887953 |
BUG: 1654103
|
|
|
887953 |
Author: Kinglong Mee <mijinlong@open-fs.com>
|
|
|
887953 |
Signed-off-by: N Balachandran <nbalacha@redhat.com>
|
|
|
887953 |
Reviewed-on: https://code.engineering.redhat.com/gerrit/158486
|
|
|
887953 |
Tested-by: RHGS Build Bot <nigelb@redhat.com>
|
|
|
887953 |
Reviewed-by: Raghavendra Gowdappa <rgowdapp@redhat.com>
|
|
|
887953 |
---
|
|
|
887953 |
xlators/cluster/dht/src/dht-common.c | 23 +++++++++++++----------
|
|
|
887953 |
1 file changed, 13 insertions(+), 10 deletions(-)
|
|
|
887953 |
|
|
|
887953 |
diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c
|
|
|
887953 |
index 2e19036..ff0099c 100644
|
|
|
887953 |
--- a/xlators/cluster/dht/src/dht-common.c
|
|
|
887953 |
+++ b/xlators/cluster/dht/src/dht-common.c
|
|
|
887953 |
@@ -10175,6 +10175,7 @@ dht_rmdir_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
|
|
|
887953 |
xlator_t *prev = NULL;
|
|
|
887953 |
xlator_t *src = NULL;
|
|
|
887953 |
int ret = 0;
|
|
|
887953 |
+ char *path = NULL;
|
|
|
887953 |
|
|
|
887953 |
|
|
|
887953 |
local = frame->local;
|
|
|
887953 |
@@ -10182,6 +10183,11 @@ dht_rmdir_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
|
|
|
887953 |
src = prev;
|
|
|
887953 |
|
|
|
887953 |
if (op_ret > 2) {
|
|
|
887953 |
+ /* dht_rmdir_is_subvol_empty() may free the frame,
|
|
|
887953 |
+ * copy path for logging.
|
|
|
887953 |
+ */
|
|
|
887953 |
+ path = gf_strdup(local->loc.path);
|
|
|
887953 |
+
|
|
|
887953 |
ret = dht_rmdir_is_subvol_empty (frame, this, entries, src);
|
|
|
887953 |
|
|
|
887953 |
switch (ret) {
|
|
|
887953 |
@@ -10192,27 +10198,24 @@ dht_rmdir_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
|
|
|
887953 |
local->loc.path, op_ret);
|
|
|
887953 |
local->op_ret = -1;
|
|
|
887953 |
local->op_errno = ENOTEMPTY;
|
|
|
887953 |
- goto done;
|
|
|
887953 |
+ break;
|
|
|
887953 |
default:
|
|
|
887953 |
/* @ret number of linkfiles are getting unlinked */
|
|
|
887953 |
gf_msg_trace (this->name, 0,
|
|
|
887953 |
"readdir on %s for %s found %d "
|
|
|
887953 |
- "linkfiles", prev->name,
|
|
|
887953 |
- local->loc.path, ret);
|
|
|
887953 |
+ "linkfiles",
|
|
|
887953 |
+ prev->name, path, ret);
|
|
|
887953 |
break;
|
|
|
887953 |
}
|
|
|
887953 |
|
|
|
887953 |
}
|
|
|
887953 |
|
|
|
887953 |
-
|
|
|
887953 |
- if (ret) {
|
|
|
887953 |
- return 0;
|
|
|
887953 |
- }
|
|
|
887953 |
-
|
|
|
887953 |
-done:
|
|
|
887953 |
/* readdirp failed or no linkto files were found on this subvol */
|
|
|
887953 |
+ if (!ret) {
|
|
|
887953 |
+ dht_rmdir_readdirp_done(frame, this);
|
|
|
887953 |
+ }
|
|
|
887953 |
+ GF_FREE(path);
|
|
|
887953 |
|
|
|
887953 |
- dht_rmdir_readdirp_done (frame, this);
|
|
|
887953 |
return 0;
|
|
|
887953 |
}
|
|
|
887953 |
|
|
|
887953 |
--
|
|
|
887953 |
1.8.3.1
|
|
|
887953 |
|