liyinshu has uploaded this change for review.

View Change

Fix crash at glist_del state_sharelist

If open_state's ref count is 1, reproduce crash as follows:
thread1: nfs4_op_close.c:180 inc open_state's ref to 2.
thread2: nfs4_op_lock:178 inc open_state's ref to 3.
thread1: nfs4_op_close.c:306 dec open_state's  ref to 2.
thread1: nfs4_op_close.c:336 dec open_state's ref to 1.
thread2: nfs4_op_lock.c:598 add lock_state's state_sharelist to the tail of open_state's share_lockstates.
thread2: nfs4_op_lock.c:742 dec open_state's ref to 0 and free this open_state.
thread3: nfs4_op_free_stateid.c:120 state_del_locked(lock_state)
thread3: nfs4_state.c:458 glist_del(&lock_state->state_data.lock.state_sharelist)
thread3: gsh_list.h:102 left->next = right, crash happens, because left is open_state's share_lockstates,
	 and open_state has been freed by thread2, so it's a used after free.

The root cause is add lock_state's state_sharelist to the tail of open_state's share_lockstates, and the open_state
will be freed immediately. So before this, we check again whether state_open existed in hashtable.

Change-Id: Idc3a3171c52e6a86cc2c5c18e353702a34473e9e
Signed-off-by: liyinshu <liyinshu@bytedance.com>
---
A commit-msg
M src/Protocols/NFS/nfs4_op_lock.c
2 files changed, 113 insertions(+), 0 deletions(-)

git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/77/542077/1

To view, visit change 542077. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Change-Id: Idc3a3171c52e6a86cc2c5c18e353702a34473e9e
Gerrit-Change-Number: 542077
Gerrit-PatchSet: 1
Gerrit-Owner: liyinshu <liyinshu@bytedance.com>
Gerrit-MessageType: newchange