Daniel Gryniewicz has uploaded this change for review.

View Change

FSAL_MEM - Handle links

Links cause problems for MEM, because you have multiple references to
the same object.  This can result in MDCACHE having multiple entries
pointing to the same sub_handle, causing use-after-free when the two
entries are released.  It works like this:

mde_A = lookup(OLDNAME)
mde_A->link(NEWNAME)
fsal_remove(NEWNAME) // At this point, mde_A is unreachable
fsal_remove(OLDNAME) // This creates a new handle, mde_B, pointing to
			sub_hdl.  Then it unlink()s, then put()s,
			causing mde_B's ref to go to zero, calling
			sub_hdl->release(), and sub_hdl is freed.
mde_A->put_ref()     // sub_hdl was already freed, but this calls
			release again

To fix this, implement full refcounting for FSAL_MEM handles, and
increment the ref on lookup(), and dec it on release().

Change-Id: I2cfcc8f125aa8de1b7c6245389c27d20eed210e2
Signed-off-by: Daniel Gryniewicz <dang@redhat.com>
---
M src/FSAL/FSAL_MEM/mem_handle.c
M src/FSAL/FSAL_MEM/mem_int.h
M src/include/gsh_lttng/fsal_mem.h
3 files changed, 310 insertions(+), 74 deletions(-)

git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/73/414273/1

To view, visit change 414273. To unsubscribe, or for help writing mail filters, visit settings.