From b3250767f749a6289e181c72340e170978622314 Mon Sep 17 00:00:00 2001
From: N Balachandran <nbalacha@redhat.com>
Date: Thu, 29 Jun 2017 10:52:37 +0530
Subject: [PATCH 540/557] cluster:dht Fix crash in dht_rename_lock_cbk

Use a local variable to store the call count
in the STACK_WIND for loop. Using frame->local
is dangerous as it could be freed while the loop
is still being processed

> BUG: 1466863
> Signed-off-by: N Balachandran <nbalacha@redhat.com>
> Reviewed-on: https://review.gluster.org/17665
> Smoke: Gluster Build System <jenkins@build.gluster.org>
> Reviewed-by: Jeff Darcy <jeff@pl.atyp.us>
> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Change-Id: Ie65cdcfb7868509b4a83bc2a5b5d6304eabfbc8e
BUG: 1466321
Signed-off-by: N Balachandran <nbalacha@redhat.com>
Reviewed-on: https://code.engineering.redhat.com/gerrit/111061
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
---
 xlators/cluster/dht/src/dht-rename.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xlators/cluster/dht/src/dht-rename.c b/xlators/cluster/dht/src/dht-rename.c
index 3cd400f..e33c1e4 100644
--- a/xlators/cluster/dht/src/dht-rename.c
+++ b/xlators/cluster/dht/src/dht-rename.c
@@ -1389,6 +1389,8 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
         dict_t      *xattr_req                  = NULL;
         dht_conf_t  *conf                       = NULL;
         int          i                          = 0;
+        int          count                      = 0;
+
 
         local = frame->local;
         conf = this->private;
@@ -1428,7 +1430,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
                 goto done;
         }
 
-        local->call_cnt = local->lock.lk_count;
+        count = local->call_cnt = local->lock.lk_count;
 
         /* Why not use local->lock.locks[?].loc for lookup post lock phase
          * ---------------------------------------------------------------
@@ -1447,7 +1449,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
          * exists with the name that the client requested with.
          * */
 
-        for (i = 0; i < local->lock.lk_count; i++) {
+        for (i = 0; i < count; i++) {
                 STACK_WIND_COOKIE (frame, dht_rename_lookup_cbk, (void *)(long)i
                                    , local->lock.locks[i]->xl,
                                    local->lock.locks[i]->xl->fops->lookup,
-- 
1.8.3.1