From b3250767f749a6289e181c72340e170978622314 Mon Sep 17 00:00:00 2001
From: N Balachandran <nbalacha@redhat.com>
Date: Thu, 29 Jun 2017 10:52:37 +0530
Subject: [PATCH 540/557] cluster:dht Fix crash in dht_rename_lock_cbk
Use a local variable to store the call count
in the STACK_WIND for loop. Using frame->local
is dangerous as it could be freed while the loop
is still being processed
> BUG: 1466863
> Signed-off-by: N Balachandran <nbalacha@redhat.com>
> Reviewed-on: https://review.gluster.org/17665
> Smoke: Gluster Build System <jenkins@build.gluster.org>
> Reviewed-by: Jeff Darcy <jeff@pl.atyp.us>
> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Change-Id: Ie65cdcfb7868509b4a83bc2a5b5d6304eabfbc8e
BUG: 1466321
Signed-off-by: N Balachandran <nbalacha@redhat.com>
Reviewed-on: https://code.engineering.redhat.com/gerrit/111061
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
---
xlators/cluster/dht/src/dht-rename.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xlators/cluster/dht/src/dht-rename.c b/xlators/cluster/dht/src/dht-rename.c
index 3cd400f..e33c1e4 100644
--- a/xlators/cluster/dht/src/dht-rename.c
+++ b/xlators/cluster/dht/src/dht-rename.c
@@ -1389,6 +1389,8 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
dict_t *xattr_req = NULL;
dht_conf_t *conf = NULL;
int i = 0;
+ int count = 0;
+
local = frame->local;
conf = this->private;
@@ -1428,7 +1430,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
goto done;
}
- local->call_cnt = local->lock.lk_count;
+ count = local->call_cnt = local->lock.lk_count;
/* Why not use local->lock.locks[?].loc for lookup post lock phase
* ---------------------------------------------------------------
@@ -1447,7 +1449,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
* exists with the name that the client requested with.
* */
- for (i = 0; i < local->lock.lk_count; i++) {
+ for (i = 0; i < count; i++) {
STACK_WIND_COOKIE (frame, dht_rename_lookup_cbk, (void *)(long)i
, local->lock.locks[i]->xl,
local->lock.locks[i]->xl->fops->lookup,
--
1.8.3.1