uss/svc: fix double free on xdata dictionary

we were taking unref on wrong dictionary which results in wrong memory access. Change-Id: Ic25a6c209ecd72c9056dfcb79fabcfc650dd3c1e BUG: 1467513 Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> Reviewed-on: https://review.gluster.org/17691 CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Smoke: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
2017-07-03 16:37:01 +05:30 · 2017-07-03 16:37:01 +05:30 · 26241777bf
commit 26241777bf
parent 70a5dfdea4
2 changed files with 20 additions and 8 deletions
--- a/xlators/features/snapview-client/src/snapview-client.c
+++ b/xlators/features/snapview-client/src/snapview-client.c
@ -1661,14 +1661,12 @@ gf_svc_readdirp_lookup_cbk (call_frame_t *frame, void *cookie, xlator_t *this,

        local = frame->local;

-        if (local->xdata != NULL)
-                dict_unref (xdata);
-
        if (op_ret) {
                if (op_errno == ESTALE && !local->revalidate) {
                        local->revalidate = 1;
                        ret = gf_svc_special_dir_revalidate_lookup (frame,
-                                                                    this);
+                                                                    this,
+                                                                    xdata);

                        if (!ret)
                                return 0;
@ -1723,7 +1721,8 @@ out:
 }

 int
-gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this)
+gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this,
+                                      dict_t *xdata)
 {
        svc_private_t *private    = NULL;
        svc_local_t   *local      = NULL;
@ -1740,6 +1739,15 @@ gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this)
        local = frame->local;
        loc = &local->loc;

+        if (local->xdata) {
+                dict_unref (local->xdata);
+                local->xdata = NULL;
+        }
+
+        if (xdata)
+                local->xdata = dict_ref (xdata);
+
+
        inode_unref (loc->inode);
        loc->inode = inode_new (loc->parent->table);
        if (!loc->inode) {
@ -1878,10 +1886,13 @@ gf_svc_readdir_on_special_dir (call_frame_t *frame, void *cookie,
                }

                local->cookie = cookie;
-                if (xdata == NULL)
+                if (local->xdata) {
+                        dict_unref (local->xdata);
                        local->xdata = NULL;
-                else
+                }
+                if (xdata)
                        local->xdata = dict_ref (xdata);
+
                STACK_WIND (frame, gf_svc_readdirp_lookup_cbk,
                            SECOND_CHILD (this),
                            SECOND_CHILD (this)->fops->lookup, loc, tmp_xdata);
--- a/xlators/features/snapview-client/src/snapview-client.h
+++ b/xlators/features/snapview-client/src/snapview-client.h
@ -96,6 +96,7 @@ typedef enum {
 } inode_type_t;

 int
-gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this);
+gf_svc_special_dir_revalidate_lookup (call_frame_t *frame, xlator_t *this,
+                                      dict_t *xdata);

 #endif /* __SNAP_VIEW_CLIENT_H__ */