Bug 1654103 - Invalid memory read after freed in dht_rmdir_readdirp_cbk
Summary: Invalid memory read after freed in dht_rmdir_readdirp_cbk
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: distribute
Version: rhgs-3.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: RHGS 3.4.z Batch Update 3
Assignee: Nithya Balachandran
QA Contact: Sayalee
URL:
Whiteboard:
Depends On: 1640489
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-28 04:24 UTC by Nithya Balachandran
Modified: 2019-10-22 02:50 UTC (History)
8 users (show)

Fixed In Version: glusterfs-3.12.2-33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1640489
Environment:
Last Closed: 2019-02-04 07:41:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gluster.org Gerrit 21446 0 None None None 2018-11-28 04:24:41 UTC
Red Hat Product Errata RHBA-2019:0263 0 None None None 2019-02-04 07:41:53 UTC

Description Nithya Balachandran 2018-11-28 04:24:41 UTC
+++ This bug was initially created as a clone of Bug #1640489 +++

Description of problem:
valgrind shows,

==7734== Thread 13:
==7734== Invalid read of size 8
==7734==    at 0x15EE4B68: dht_rmdir_readdirp_cbk (dht-common.c:8697)
==7734==    by 0x15C332E2: client3_3_readdirp_cbk (client-rpc-fops.c:2660)
==7734==    by 0xAB96524: rpc_clnt_handle_reply (rpc-clnt.c:786)
==7734==    by 0xAB96ABD: rpc_clnt_notify (rpc-clnt.c:977)
==7734==    by 0xAB9275B: rpc_transport_notify (rpc-transport.c:543)
==7734==    by 0x15508220: socket_event_poll_in (socket.c:2541)
==7734==    by 0x15508868: socket_event_handler (socket.c:2690)
==7734==    by 0xA90987E: event_dispatch_epoll_handler (event-epoll.c:587)
==7734==    by 0xA909B8B: event_dispatch_epoll_worker (event-epoll.c:665)
==7734==    by 0x688EDC4: start_thread (in /usr/lib64/libpthread-2.17.so)
==7734==    by 0x71FA73C: clone (in /usr/lib64/libc-2.17.so)
==7734==  Address 0x29aa73a8 is 8 bytes inside a block of size 3,536 free'd
==7734==    at 0x4C28CDD: free (vg_replace_malloc.c:530)
==7734==    by 0xA8CA4B6: __gf_free (mem-pool.c:329)
==7734==    by 0xA8CA9F3: mem_put (mem-pool.c:579)
==7734==    by 0x15E798F4: dht_local_wipe (dht-helper.c:639)
==7734==    by 0x15EE4A4A: dht_rmdir_readdirp_done (dht-common.c:8663)
==7734==    by 0x15EE4C40: dht_rmdir_readdirp_do (dht-common.c:8733)
==7734==    by 0x15EE3A8B: dht_rmdir_cached_lookup_cbk (dht-common.c:8459)
==7734==    by 0x15C350E9: client3_3_lookup_cbk (client-rpc-fops.c:2955)
==7734==    by 0xAB96524: rpc_clnt_handle_reply (rpc-clnt.c:786)
==7734==    by 0xAB96ABD: rpc_clnt_notify (rpc-clnt.c:977)
==7734==    by 0xAB9275B: rpc_transport_notify (rpc-transport.c:543)
==7734==    by 0x15508220: socket_event_poll_in (socket.c:2541)
==7734==  Block was alloc'd at
==7734==    at 0x4C27BE3: malloc (vg_replace_malloc.c:299)
==7734==    by 0xA8C95B4: __gf_default_malloc (mem-pool.h:110)
==7734==    by 0xA8C9D5D: __gf_malloc (mem-pool.c:137)
==7734==    by 0xA8CA9D9: mem_get (mem-pool.c:475)
==7734==    by 0xA8CA984: mem_get0 (mem-pool.c:463)
==7734==    by 0x15E7993B: dht_local_init (dht-helper.c:650)
==7734==    by 0x15EE52D9: dht_rmdir_opendir_cbk (dht-common.c:8825)
==7734==    by 0x15C3484F: client3_3_opendir_cbk (client-rpc-fops.c:2859)
==7734==    by 0xAB96524: rpc_clnt_handle_reply (rpc-clnt.c:786)
==7734==    by 0xAB96ABD: rpc_clnt_notify (rpc-clnt.c:977)
==7734==    by 0xAB9275B: rpc_transport_notify (rpc-transport.c:543)
==7734==    by 0x15508220: socket_event_poll_in (socket.c:2541)
==7734==

and some massages at ganesha-gfapi.log
[dht-common.c:8412:dht_rmdir_cached_lookup_cbk] 0-openfs1-dht: /nfs/tfile/p25/d5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/l6XX found on cached subvol openfs1-client-0
[dht-common.c:8412:dht_rmdir_cached_lookup_cbk] 0-openfs1-dht: /nfs/tfile/p18/d0XXXXXXXXXXXXX/ddXXXXXXXXXXXXXXXXXX/d1aX/c1b found on cached subvol openfs1-client-0
[dht-common.c:8412:dht_rmdir_cached_lookup_cbk] 0-openfs1-dht: /nfs/tfile/p10/d32XXXXXXXXX/c33 found on cached subvol openfs1-client-0
[dht-common.c:8412:dht_rmdir_cached_lookup_cbk] 0-openfs1-dht: /nfs/tfile/p10/d32XXXXXXXXX/c33 found on cached subvol openfs1-client-0
[dht-common.c:8412:dht_rmdir_cached_lookup_cbk] 0-openfs1-dht: /nfs/tfile/p1b/d1X/d14XXXXXXXXXXXXXXXXXXXX/f1dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX found on cached subvol openfs1-client-1
[dht-common.c:8412:dht_rmdir_cached_lookup_cbk] 0-openfs1-dht: /nfs/tfile/p2c/d0XX/d10XXXXXXXXXXXXX/d15XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/d16XXXXX/c19XXXX found on cached subvol openfs1-client-0
[dht-common.c:8412:dht_rmdir_cached_lookup_cbk] 0-openfs1-dht: /nfs/tfile/p2c/d0XX/d10XXXXXXXXXXXXX/d15XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/d16XXXXX/c19XXXX found on cached subvol openfs1-client-0


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Worker Ant on 2018-10-18 06:25:37 EDT ---

REVIEW: https://review.gluster.org/21446 (dht: fix use after free in dht_rmdir_readdirp_cbk) posted (#1) for review on master by Kinglong Mee

--- Additional comment from Worker Ant on 2018-11-04 23:24:52 EST ---

REVIEW: https://review.gluster.org/21446 (dht: fix use after free in dht_rmdir_readdirp_cbk) posted (#6) for review on master by N Balachandran

Comment 9 Sayalee 2019-01-03 11:42:22 UTC
Ran the planned test cases in the test plan shared in Comment8 and didn't see any issues on glusterfs version 3.12.2-34

Moving this BZ to Verified.

Comment 11 errata-xmlrpc 2019-02-04 07:41:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0263


Note You need to log in before you can comment on or make changes to this bug.