Red Hat Bugzilla – Bug 1247850
Glusterfsd crashes because of thread-unsafe code in gf_authenticate
Last modified: 2015-09-09 05:38:41 EDT
+++ This bug was initially created as a clone of Bug #1247765 +++
This caused a failure on a regression test for an unrelated patch.
The relevant part of the stack trace looks like this.
#2 0x00007f3f84194d18 in dict_get (this=0x7f3f680023ec
#3 0x00007f3f744a4a45 in gf_auth (input_params=0x7f3f680023ec
#4 0x00007f3f748d9894 in map (this=0x7f3f70031dec
#5 0x00007f3f84196885 in dict_foreach_match (dict=0x7f3f70031dec
#6 0x00007f3f8419675d in dict_foreach (dict=0x7f3f70031dec
#7 0x00007f3f748d99d5 in gf_authenticate
In frame 2, "this" looks like a valid pointer, but the structure it points to seems to contain garbage. The problem becomes evident when we look at frame 7.
(gdb) p input_params
$3 = (dict_t *) 0x7f3f700665ac
(gdb) p __input_params
$4 = (dict_t *) 0x7f3f680023ec
So the value we're using is from the global __input_params. This should match the parameter input_params (which looks OK) but that's not the case. Apparently some other thread came in and stomped the unprotected global variable while we were still using it. This concurrency issue was actually reported - and fixed! - on September 13, 2013.
Unfortunately, since most people weren't running multiple network threads, they never saw the problem, didn't take it seriously, and bikeshedded the patch to death. Now that we have multi-threaded epoll, it's going to keep biting everyone until it's fixed.
--- Additional comment from Anand Avati on 2015-07-28 16:27:49 EDT ---
REVIEW: http://review.gluster.org/11780 (rpc: fix concurrency bug in gf_authenticate) posted (#1) for review on master by Jeff Darcy (firstname.lastname@example.org)
COMMIT: http://review.gluster.org/11785 committed in release-3.7 by Niels de Vos (email@example.com)
Author: Niels de Vos <firstname.lastname@example.org>
Date: Wed Jul 29 09:51:45 2015 +0200
rpc: fix concurrency bug in gf_authenticate
The basic problem is that gf_authenticate abused global variables to
pass info through dict_foreach. This is not thread-safe, but it wasn't
affecting most people until multi-threaded epoll came along. Now, if
two threads get into this code at the same time - and there's nothing to
prevent it - one of them could free one of the dicts involved while the
other is still using it.
The fix is to pass this same information using a temporary structure
instead of globals. This makes the code smaller and more efficient too.
Cherry picked from commit 8f04ec33bc86aa464a5f8b77f9d64e5608cb6f1b:
> Change-Id: I72cccc440bb40d5f7ff695250dd014762c7efb73
> BUG: 1247765
> Signed-off-by: Jeff Darcy <email@example.com>
> Reviewed-on: http://review.gluster.org/11780
> Tested-by: NetBSD Build System <firstname.lastname@example.org>
> Reviewed-by: Niels de Vos <email@example.com>
> Tested-by: Gluster Build System <firstname.lastname@example.org>
> Reviewed-by: Raghavendra G <email@example.com>
Signed-off-by: Niels de Vos <firstname.lastname@example.org>
Tested-by: NetBSD Build System <email@example.com>
Tested-by: Gluster Build System <firstname.lastname@example.org>
Reviewed-by: Jeff Darcy <email@example.com>
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.7.4, please open a new bug report.
glusterfs-3.7.4 has been announced on the Gluster mailinglists , packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist  and the update infrastructure for your distribution.