From b3250767f749a6289e181c72340e170978622314 Mon Sep 17 00:00:00 2001 From: N Balachandran Date: Thu, 29 Jun 2017 10:52:37 +0530 Subject: [PATCH 540/557] cluster:dht Fix crash in dht_rename_lock_cbk Use a local variable to store the call count in the STACK_WIND for loop. Using frame->local is dangerous as it could be freed while the loop is still being processed > BUG: 1466863 > Signed-off-by: N Balachandran > Reviewed-on: https://review.gluster.org/17665 > Smoke: Gluster Build System > Reviewed-by: Jeff Darcy > CentOS-regression: Gluster Build System Change-Id: Ie65cdcfb7868509b4a83bc2a5b5d6304eabfbc8e BUG: 1466321 Signed-off-by: N Balachandran Reviewed-on: https://code.engineering.redhat.com/gerrit/111061 Reviewed-by: Atin Mukherjee --- xlators/cluster/dht/src/dht-rename.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xlators/cluster/dht/src/dht-rename.c b/xlators/cluster/dht/src/dht-rename.c index 3cd400f..e33c1e4 100644 --- a/xlators/cluster/dht/src/dht-rename.c +++ b/xlators/cluster/dht/src/dht-rename.c @@ -1389,6 +1389,8 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this, dict_t *xattr_req = NULL; dht_conf_t *conf = NULL; int i = 0; + int count = 0; + local = frame->local; conf = this->private; @@ -1428,7 +1430,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this, goto done; } - local->call_cnt = local->lock.lk_count; + count = local->call_cnt = local->lock.lk_count; /* Why not use local->lock.locks[?].loc for lookup post lock phase * --------------------------------------------------------------- @@ -1447,7 +1449,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this, * exists with the name that the client requested with. * */ - for (i = 0; i < local->lock.lk_count; i++) { + for (i = 0; i < count; i++) { STACK_WIND_COOKIE (frame, dht_rename_lookup_cbk, (void *)(long)i , local->lock.locks[i]->xl, local->lock.locks[i]->xl->fops->lookup, -- 1.8.3.1