Gaurav has uploaded this change for review.

View Change

Fix fsal not supporting fso_allocate_own_read_buffer

We use io_data to set release method and release_data.
But it could result in use after free as pointed by valgrind.
So keep copy of io_data instead of referencing original one.

==144581== Invalid read of size 8
==144581==    at 0x4E8A3D7: fsal_iov_release (fsal_helper.c:1900)
==144581==    by 0x4EF705D: xdr_io_data_uio_release (rpc_tools.c:500)
==144581==    by 0x530EA08: xdr_ioq_uv_release (xdr_ioq.c:568)
==144581==    by 0x53100FE: xdr_ioq_release (xdr_ioq.c:1210)
==144581==    by 0x53101CA: xdr_ioq_destroy (xdr_ioq.c:1228)
==144581==    by 0x5310261: xdr_ioq_destroy_internal (xdr_ioq.c:1245)
==144581==    by 0x531250C: svc_ioq_write (svc_ioq.c:404)
==144581==    by 0x5312618: svc_ioq_write_now (svc_ioq.c:441)
==144581==    by 0x5309C17: svc_vc_reply (svc_vc.c:1272)
==144581==    by 0x52FD857: svc_sendreply (svc.c:509)
==144581==    by 0x4EACEDC: complete_request (nfs_worker_thread.c:784)
==144581==    by 0x4EAF5DE: nfs_rpc_process_request (nfs_worker_thread.c:1579)
==144581==  Address 0x10d1f0d8 is 200 bytes inside a block of size 208 free'd
==144581==    at 0x4C3B4CB: free (vg_replace_malloc.c:985)
==144581==    by 0x4F93D70: gsh_free (abstract_mem.h:257)
==144581==    by 0x4F959DE: nfs4_op_read (nfs4_op_read.c:892)
==144581==    by 0x4F77BF4: process_one_op (nfs4_Compound.c:912)
==144581==    by 0x4F78F8B: nfs4_Compound (nfs4_Compound.c:1394)
==144581==    by 0x4EAF5A3: nfs_rpc_process_request (nfs_worker_thread.c:1558)
==144581==    by 0x4EAFB36: nfs_rpc_valid_NFS (nfs_worker_thread.c:1778)
==144581==    by 0x530999A: svc_vc_decode (svc_vc.c:1209)
==144581==    by 0x53046B5: svc_request (svc_rqst.c:1236)
==144581==    by 0x53098A3: svc_vc_recv (svc_vc.c:1182)
==144581==    by 0x5304635: svc_rqst_xprt_task_recv (svc_rqst.c:1217)
==144581==    by 0x53051CC: svc_rqst_epoll_loop (svc_rqst.c:1598)
==144581==  Block was alloc'd at
==144581==    at 0x4C3F963: calloc (vg_replace_malloc.c:1595)
==144581==    by 0x4F9572F: nfs4_read (nfs4_op_read.c:783)
==144581==    by 0x4F95986: nfs4_op_read (nfs4_op_read.c:875)
==144581==    by 0x4F77BF4: process_one_op (nfs4_Compound.c:912)
==144581==    by 0x4F78F8B: nfs4_Compound (nfs4_Compound.c:1394)
==144581==    by 0x4EAF5A3: nfs_rpc_process_request (nfs_worker_thread.c:1558)
==144581==    by 0x4EAFB36: nfs_rpc_valid_NFS (nfs_worker_thread.c:1778)
==144581==    by 0x530999A: svc_vc_decode (svc_vc.c:1209)
==144581==    by 0x53046B5: svc_request (svc_rqst.c:1236)
==144581==    by 0x53098A3: svc_vc_recv (svc_vc.c:1182)
==144581==    by 0x5304635: svc_rqst_xprt_task_recv (svc_rqst.c:1217)
==144581==    by 0x53051CC: svc_rqst_epoll_loop (svc_rqst.c:1598)
==144581==
==144581== Invalid read of size 8
==144581==    at 0x4E8A3EA: fsal_iov_release (fsal_helper.c:1901)
==144581==    by 0x4EF705D: xdr_io_data_uio_release (rpc_tools.c:500)
==144581==    by 0x530EA08: xdr_ioq_uv_release (xdr_ioq.c:568)
==144581==    by 0x53100FE: xdr_ioq_release (xdr_ioq.c:1210)
==144581==    by 0x53101CA: xdr_ioq_destroy (xdr_ioq.c:1228)
==144581==    by 0x5310261: xdr_ioq_destroy_internal (xdr_ioq.c:1245)
==144581==    by 0x531250C: svc_ioq_write (svc_ioq.c:404)
==144581==    by 0x5312618: svc_ioq_write_now (svc_ioq.c:441)
==144581==    by 0x5309C17: svc_vc_reply (svc_vc.c:1272)
==144581==    by 0x52FD857: svc_sendreply (svc.c:509)
==144581==    by 0x4EACEDC: complete_request (nfs_worker_thread.c:784)
==144581==    by 0x4EAF5DE: nfs_rpc_process_request (nfs_worker_thread.c:1579)
==144581==  Address 0x10d1f0d8 is 200 bytes inside a block of size 208 free'd
==144581==    at 0x4C3B4CB: free (vg_replace_malloc.c:985)
==144581==    by 0x4F93D70: gsh_free (abstract_mem.h:257)
==144581==    by 0x4F959DE: nfs4_op_read (nfs4_op_read.c:892)
==144581==    by 0x4F77BF4: process_one_op (nfs4_Compound.c:912)
==144581==    by 0x4F78F8B: nfs4_Compound (nfs4_Compound.c:1394)
==144581==    by 0x4EAF5A3: nfs_rpc_process_request (nfs_worker_thread.c:1558)
==144581==    by 0x4EAFB36: nfs_rpc_valid_NFS (nfs_worker_thread.c:1778)
==144581==    by 0x530999A: svc_vc_decode (svc_vc.c:1209)
==144581==    by 0x53046B5: svc_request (svc_rqst.c:1236)
==144581==    by 0x53098A3: svc_vc_recv (svc_vc.c:1182)
==144581==    by 0x5304635: svc_rqst_xprt_task_recv (svc_rqst.c:1217)
==144581==    by 0x53051CC: svc_rqst_epoll_loop (svc_rqst.c:1598)
==144581==  Block was alloc'd at
==144581==    at 0x4C3F963: calloc (vg_replace_malloc.c:1595)
==144581==    by 0x4F9572F: nfs4_read (nfs4_op_read.c:783)
==144581==    by 0x4F95986: nfs4_op_read (nfs4_op_read.c:875)
==144581==    by 0x4F77BF4: process_one_op (nfs4_Compound.c:912)
==144581==    by 0x4F78F8B: nfs4_Compound (nfs4_Compound.c:1394)
==144581==    by 0x4EAF5A3: nfs_rpc_process_request (nfs_worker_thread.c:1558)
==144581==    by 0x4EAFB36: nfs_rpc_valid_NFS (nfs_worker_thread.c:1778)
==144581==    by 0x530999A: svc_vc_decode (svc_vc.c:1209)
==144581==    by 0x53046B5: svc_request (svc_rqst.c:1236)
==144581==    by 0x53098A3: svc_vc_recv (svc_vc.c:1182)
==144581==    by 0x5304635: svc_rqst_xprt_task_recv (svc_rqst.c:1217)
==144581==    by 0x53051CC: svc_rqst_epoll_loop (svc_rqst.c:1598)
==144581==

Change-Id: I8a9396006e4a3ce46a88eb6f93db6cd6c40180e0
Signed-off-by: Gaurav Gangalwar <gaurav.gangalwar@gmail.com>
---
M src/FSAL/fsal_helper.c
M src/RPCAL/rpc_tools.c
2 files changed, 13 insertions(+), 7 deletions(-)

git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/36/1199736/1

To view, visit change 1199736. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Change-Id: I8a9396006e4a3ce46a88eb6f93db6cd6c40180e0
Gerrit-Change-Number: 1199736
Gerrit-PatchSet: 1
Gerrit-Owner: Gaurav <gaurav.gangalwar@gmail.com>