rpms/glusterfs
5
0
Fork 0
Code Issues Pull Requests Releases Activity
44ca233177
glusterfs/0470-dht-fix-use-after-free-in-dht_rmdir_readdirp_cbk.patch
Milind Changire 1f2f23ddef autobuild v3.12.2-33 
Resolves: bz#1350745 bz#1362129 bz#1541568 bz#1597252 bz#1599220
Resolves: bz#1633177 bz#1637564 bz#1639476 bz#1639568 bz#1643370
Resolves: bz#1645480 bz#1648296 bz#1648893 bz#1651040 bz#1651460
Resolves: bz#1652466 bz#1652537 bz#1653224 bz#1653613 bz#1654103
Resolves: bz#1654161 bz#1655385 bz#1655578 bz#1656357 bz#1659439
Signed-off-by: Milind Changire <mchangir@redhat.com>
2018-12-18 11:23:13 -05:00

88 lines
3.1 KiB
Diff
Raw Blame History

From 870513f9bade449fa760a81e242102860a0fdc91 Mon Sep 17 00:00:00 2001
From: N Balachandran <nbalacha@redhat.com>
Date: Thu, 13 Dec 2018 10:54:15 +0530
Subject: [PATCH 470/493] dht: fix use after free in dht_rmdir_readdirp_cbk
The frame is freed when linkfile exist in dht_rmdir_is_subvol_empty(),
the following message use the freed local.
upstream patch: https://review.gluster.org/#/c/glusterfs/+/21446/
> Change-Id: I41191e8bd477f031a2444d5f15e578dc4f086e6b
> Updates: bz#1640489
> Signed-off-by: Kinglong Mee <mijinlong@open-fs.com>
Change-Id: Ia257e1da57cc486ab336e43f8e88187e984c70e2
BUG: 1654103
Author: Kinglong Mee <mijinlong@open-fs.com>
Signed-off-by: N Balachandran <nbalacha@redhat.com>
Reviewed-on: https://code.engineering.redhat.com/gerrit/158486
Tested-by: RHGS Build Bot <nigelb@redhat.com>
Reviewed-by: Raghavendra Gowdappa <rgowdapp@redhat.com>
---
xlators/cluster/dht/src/dht-common.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c
index 2e19036..ff0099c 100644
--- a/xlators/cluster/dht/src/dht-common.c
+++ b/xlators/cluster/dht/src/dht-common.c
@@ -10175,6 +10175,7 @@ dht_rmdir_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
xlator_t *prev = NULL;
xlator_t *src = NULL;
int ret = 0;
+ char *path = NULL;
local = frame->local;
@@ -10182,6 +10183,11 @@ dht_rmdir_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
src = prev;
if (op_ret > 2) {
+ /* dht_rmdir_is_subvol_empty() may free the frame,
+ * copy path for logging.
+ */
+ path = gf_strdup(local->loc.path);
+
ret = dht_rmdir_is_subvol_empty (frame, this, entries, src);
switch (ret) {
@@ -10192,27 +10198,24 @@ dht_rmdir_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
local->loc.path, op_ret);
local->op_ret = -1;
local->op_errno = ENOTEMPTY;
- goto done;
+ break;
default:
/* @ret number of linkfiles are getting unlinked */
gf_msg_trace (this->name, 0,
"readdir on %s for %s found %d "
- "linkfiles", prev->name,
- local->loc.path, ret);
+ "linkfiles",
+ prev->name, path, ret);
break;
}
}
-
- if (ret) {
- return 0;
- }
-
-done:
/* readdirp failed or no linkto files were found on this subvol */
+ if (!ret) {
+ dht_rmdir_readdirp_done(frame, this);
+ }
+ GF_FREE(path);
- dht_rmdir_readdirp_done (frame, this);
return 0;
}
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink