From 5a27594a16307d0b9ab626d7b51514f92e4b7bdd Mon Sep 17 00:00:00 2001 From: N Balachandran Date: Thu, 18 May 2017 10:08:43 +0530 Subject: [PATCH 451/473] cluster/dht: Fix crash in dht rmdir Using local->call_cnt to check STACK_WINDs can cause dht_rmdir_do to be called erroneously if dht_rmdir_readdirp_cbk unwinds before we check if local->call_cnt is zero in dht_rmdir_opendir_cbk. This can cause frame corruptions and crashes. Thanks to Shyam (srangana@redhat.com) for the analysis. > BUG: 1451083 > Signed-off-by: N Balachandran > Reviewed-on: https://review.gluster.org/17305 > Smoke: Gluster Build System > NetBSD-regression: NetBSD Build System > CentOS-regression: Gluster Build System > Reviewed-by: Shyamsundar Ranganathan Change-Id: I116dbbffca83a4547b71d922ca99a42f3cf6e009 BUG: 1451086 Signed-off-by: N Balachandran Reviewed-on: https://code.engineering.redhat.com/gerrit/106511 Reviewed-by: Atin Mukherjee --- xlators/cluster/dht/src/dht-common.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c index 962282a..264ca65 100644 --- a/xlators/cluster/dht/src/dht-common.c +++ b/xlators/cluster/dht/src/dht-common.c @@ -8646,6 +8646,7 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this, char gfid[GF_UUID_BUF_SIZE] = {0}; dht_local_t *readdirp_local = NULL; call_frame_t *readdirp_frame = NULL; + int cnt = 0; local = frame->local; prev = cookie; @@ -8688,7 +8689,7 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this, "%s: Failed to set dictionary value:key = %s", local->loc.path, conf->link_xattr_name); - local->call_cnt = conf->subvolume_cnt; + cnt = local->call_cnt = conf->subvolume_cnt; /* Create a separate frame per subvol as we might need @@ -8701,7 +8702,9 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this, readdirp_frame = copy_frame (frame); if (!readdirp_frame) { - local->call_cnt--; + cnt--; + /* Reduce the local->call_cnt as well */ + dht_frame_return (frame); continue; } @@ -8710,7 +8713,9 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this, if (!readdirp_local) { DHT_STACK_DESTROY (readdirp_frame); - local->call_cnt--; + cnt--; + /* Reduce the local->call_cnt as well */ + dht_frame_return (frame); continue; } readdirp_local->main_frame = frame; @@ -8730,7 +8735,8 @@ dht_rmdir_opendir_cbk (call_frame_t *frame, void *cookie, xlator_t *this, dict_unref (dict); /* Could not wind readdirp to any subvol */ - if (!local->call_cnt) + + if (!cnt) goto err; return 0; -- 1.8.3.1