From 61059a12fa6dd06a764a9d030bc2d294e4000ddb Mon Sep 17 00:00:00 2001

From: Niels de Vos <ndevos@redhat.com>

Date: Mon, 3 Jul 2017 16:24:53 +0200

Subject: [PATCH 549/557] nfs/nlm: use refcounting for nfs3_call_state_t

In order to track down a potential use-after-free of the

nfs3_call_state_t structure in the NLM component, add reference counting

where teh structure is used. This should prevent premature free'ing of

the structure.

Cherry picked from commit 01bfdd4d1759423681d311da33f4ac2346ace445:

> Change-Id: Ib1f13b0463ab1e012b7b49a623c91f0f3e73e1fb

> BUG: 1467313

> Signed-off-by: Niels de Vos <ndevos@redhat.com>

> Reviewed-on: https://review.gluster.org/17699

> Reviewed-by: jiffin tony Thottan <jthottan@redhat.com>

> Smoke: Gluster Build System <jenkins@build.gluster.org>

> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>

Change-Id: Ib1f13b0463ab1e012b7b49a623c91f0f3e73e1fb

BUG: 1411344

Signed-off-by: Niels de Vos <ndevos@redhat.com>

Reviewed-on: https://code.engineering.redhat.com/gerrit/111768

Reviewed-by: Atin Mukherjee <amukherj@redhat.com>

---

 xlators/nfs/server/src/nlm4.c | 46 ++++++++++++++++++++++++++++++++-----------

 1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/xlators/nfs/server/src/nlm4.c b/xlators/nfs/server/src/nlm4.c

index ea4e628..d678edc 100644

--- a/xlators/nfs/server/src/nlm4.c

+++ b/xlators/nfs/server/src/nlm4.c

@@ -532,8 +532,11 @@ nlm4_file_open_cbk (call_frame_t *frame, void *cookie, xlator_t *this,

                 fd_bind (cs->fd);

         cs->resolve_ret = op_ret;

         cs->resume_fn (cs);

+

         frame->local = NULL;

         STACK_DESTROY (frame->root);

+        GF_REF_PUT (cs);

+

         return 0;

 }

@@ -673,7 +676,7 @@ nlm4_file_open_and_resume(nfs3_call_state_t *cs, nlm4_resume_fn_t resume)

         frame->root->pid = NFS_PID;

         frame->root->uid = rpcsvc_request_uid (cs->req);

         frame->root->gid = rpcsvc_request_gid (cs->req);

-        frame->local = cs;

+        frame->local = GF_REF_GET (cs);

         nfs_fix_groups (cs->nfsx, frame->root);

         STACK_WIND_COOKIE (frame, nlm4_file_open_cbk, cs->vol, cs->vol,

@@ -810,7 +813,7 @@ nlm4_test_fd_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nfs_request_user_init (&nfu, cs->req);

         nlm4_lock_to_gf_flock (&flock, &cs->args.nlm4_testargs.alock,

                                cs->args.nlm4_testargs.exclusive);

@@ -818,6 +821,8 @@ nlm4_test_fd_resume (void *carg)

         ret = nfs_lk (cs->nfsx, cs->vol, &nfu, cs->fd, F_GETLK, &flock,

                       nlm4svc_test_cbk, cs);

+        GF_REF_PUT (cs);

+

         return ret;

 }

@@ -833,7 +838,7 @@ nlm4_test_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nlm4_check_fh_resolve_status (cs, stat, nlm4err);

         fd = fd_anonymous (cs->resolvedloc.inode);

         if (!fd)

@@ -850,6 +855,8 @@ nlm4err:

                 nfs3_call_state_wipe (cs);

         }

+        GF_REF_PUT (cs);

+

         return ret;

 }

@@ -1375,7 +1382,7 @@ nlm4_lock_fd_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nlm4_check_fh_resolve_status (cs, stat, nlm4err);

         (void) nlm_search_and_add (cs->fd,

                                    cs->args.nlm4_lockargs.alock.caller_name);

@@ -1406,6 +1413,8 @@ nlm4err:

                 nfs3_call_state_wipe (cs);

         }

+        GF_REF_PUT (cs);

+

         return ret;

 }

@@ -1420,7 +1429,7 @@ nlm4_lock_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nlm4_check_fh_resolve_status (cs, stat, nlm4err);

         ret = nlm4_file_open_and_resume (cs, nlm4_lock_fd_resume);

@@ -1434,6 +1443,8 @@ nlm4err:

                 nfs3_call_state_wipe (cs);

         }

+        GF_REF_PUT (cs);

+

         return ret;

 }

@@ -1553,7 +1564,7 @@ nlm4_cancel_fd_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nfs_request_user_init (&nfu, cs->req);

         nlm4_lock_to_gf_flock (&flock, &cs->args.nlm4_cancargs.alock,

                                 cs->args.nlm4_cancargs.exclusive);

@@ -1562,6 +1573,8 @@ nlm4_cancel_fd_resume (void *carg)

         ret = nfs_lk (cs->nfsx, cs->vol, &nfu, cs->fd, F_SETLK,

                       &flock, nlm4svc_cancel_cbk, cs);

+        GF_REF_PUT (cs);

+

         return ret;

 }

@@ -1576,7 +1589,7 @@ nlm4_cancel_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nlm4_check_fh_resolve_status (cs, stat, nlm4err);

         nlmclnt = nlm_get_uniq (cs->args.nlm4_cancargs.alock.caller_name);

@@ -1603,6 +1616,9 @@ nlm4err:

                 nfs3_call_state_wipe (cs);

         }

+

+        GF_REF_PUT (cs);

+

         /* clean up is taken care of */

         return 0;

 }

@@ -1678,7 +1694,7 @@ nlm4svc_unlock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,

         nlm4_stats                      stat = nlm4_denied;

         nfs3_call_state_t              *cs = NULL;

-        cs = frame->local;

+        cs = GF_REF_GET ((nfs3_call_state_t*) frame->local);

         if (op_ret == -1) {

                 stat = nlm4_errno_to_nlm4stat (op_errno);

                 goto err;

@@ -1691,7 +1707,7 @@ nlm4svc_unlock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,

 err:

         nlm4_generic_reply (cs->req, cs->args.nlm4_unlockargs.cookie, stat);

-        nfs3_call_state_wipe (cs);

+        GF_REF_PUT (cs);

         return 0;

 }

@@ -1705,7 +1721,7 @@ nlm4_unlock_fd_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nfs_request_user_init (&nfu, cs->req);

         nlm4_lock_to_gf_flock (&flock, &cs->args.nlm4_unlockargs.alock, 0);

         nlm_copy_lkowner (&nfu.lk_owner, &cs->args.nlm4_unlockargs.alock.oh);

@@ -1713,6 +1729,8 @@ nlm4_unlock_fd_resume (void *carg)

         ret = nfs_lk (cs->nfsx, cs->vol, &nfu, cs->fd, F_SETLK,

                       &flock, nlm4svc_unlock_cbk, cs);

+        GF_REF_PUT (cs);

+

         return ret;

 }

@@ -1728,7 +1746,7 @@ nlm4_unlock_resume (void *carg)

         if (!carg)

                 return ret;

-        cs = (nfs3_call_state_t *)carg;

+        cs = GF_REF_GET ((nfs3_call_state_t *)carg);

         nlm4_check_fh_resolve_status (cs, stat, nlm4err);

         caller_name = cs->args.nlm4_unlockargs.alock.caller_name;

@@ -1758,6 +1776,9 @@ nlm4err:

                 nfs3_call_state_wipe (cs);

         }

+

+        GF_REF_PUT (cs);

+

         /* we have already taken care of cleanup */

         return 0;

 }

@@ -2425,6 +2446,9 @@ nlm_handle_connect (struct rpc_clnt *rpc_clnt, nfs3_call_state_t *cs)

         }

 out:

+        if (cs)

+                GF_REF_PUT (cs);

+

         return ret;

 }

-- 

1.8.3.1