Malahal has uploaded this change for review.

View Change

Fix accessing object handle after freeing its last state

nfs4_op_close() calls state_del_locked() while deleting the state found.
This could be the last state for the object handle and the last refcount as
well leading to access after free in state_del_locked() while accessing the
object handle after deleting state.

Fix this by using state_del() instead.

Also, nfs4_op_close() uses data->current_obj instead of the corresponding
state's object handle. These could be different especially when an object
handle gets re-allocated as an earlier object handle gets deleted from the
hash table due to state_wipe_file call on it.

Change-Id: I65d58921d33bd38eb877615811a7220bdd55cb26
Signed-off-by: Malahal Naineni <malahal@us.ibm.com>
---
M src/Protocols/NFS/nfs4_op_close.c
1 file changed, 17 insertions(+), 13 deletions(-)

git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/59/478659/1

To view, visit change 478659. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Change-Id: I65d58921d33bd38eb877615811a7220bdd55cb26
Gerrit-Change-Number: 478659
Gerrit-PatchSet: 1
Gerrit-Owner: Malahal <malahal@gmail.com>
Gerrit-MessageType: newchange