Malahal has uploaded this change for review.

View Change

Fix lru_reap_chunk_impl racing with mdcache_lru_unref()

lru_reap_chunk_impl() gets a ref on chunk->parent but its lru refcount
could be zero by then. When a directory gets removed or one of its
operations receives ESTALE error from FSAL, mdcache would eventually
call mdcache_lru_unref() to free up the directory handle.

mdcache_lru_unref() frees its chunks after the directory handle
*refcount goes to zero*, so lru_reap_chunk_impl() could increment the
directory handle refcount after it was already zero. This leads to the
original thread that was freeing the directory handle as well as the
thread calling lru_reap_chunk_impl() will try to free the same directory
entry leading to use after free crashes.

Change-Id: I4a77f10cbd4640e2aea7b9f05b2d47f2dfdb16e2
Signed-off-by: Malahal Naineni <malahal@us.ibm.com>
---
M src/FSAL/Stackable_FSALs/FSAL_MDCACHE/mdcache_lru.c
1 file changed, 14 insertions(+), 21 deletions(-)

git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/39/484339/1

To view, visit change 484339. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Change-Id: I4a77f10cbd4640e2aea7b9f05b2d47f2dfdb16e2
Gerrit-Change-Number: 484339
Gerrit-PatchSet: 1
Gerrit-Owner: Malahal <malahal@gmail.com>
Gerrit-MessageType: newchange