Hello,
On 7/21/22 2:41 PM, Attila Kovacs wrote:
Hi again,
I found yet more potential MT flaws in clnt_dg.c and clnt_vg.c.
1. In clnt_dg.c in clnt_dg_freeres(), cu_fd_lock->active is set to TRUE,
with no corresponding clearing when the operation (*xdr_res() call) is
completed. This would leave other waiting operations blocked
indefinitely, effectively deadlocked. For comparison, clnt_vd_freeres()
in clnt_vc.c does not set the active state to TRUE. I believe the vc
behavior is correct, while the dg behavior is a bug.
2. If clnt_dg_destroy() or clnt_vc_destroy() is awoken with other
blocked operations pending (such as clnt_*_call(), clnt_*_control(), or
clnt_*_freeres()) but no active operation currently being executed, then
the client gets destroyed. Then, as the other blocked operations get
subsequently awoken, they will try operate on an invalid client handle,
potentially causing unpredictable behavior and stack corruption.
The proposed fix is to introduce a simple mutexed counting variable into
the client lock structure, which keeps track of the number of pending
blocking operations on the client. This way, clnt_*_destroy() can check
if there are any operations pending on a client, and keep waiting until
all pending operations are completed, before the client is destroyed
safely and its resources are freed.
Attached is a patch with the above fixes.
There is a problem here... This patch does contain the first patch
you posted. So when I apply this patch it fails.
So Please apply your first patch, then apply the fixes from
your second patch... test... then when all is good...
Resent the second patch which will apply, cleanly,
with the first patch.
steved.
-- A.
