[OpenAFS-devel] Fileserver crash in rxi_ReceiveDebugPacket walking rx_idleServerQueue unprotected

Rainer Toebbicke rtb@pclella.cern.ch
27 May 2004 10:19:04 +0200 

--=-7T1zTfJ7hOip90Z81Vup
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

The attached patch is for openafs 1.2.10, but applies to my not too
recent 1.3.something as well: 

in rx_packet.c:rxi_ReceiveDebugPacket() the rx_idleServerQueue is
scanned without taking a lock first. 

The queue_Remove macro zeroes the ->next field (luckily), but this can 
lead to a crash when Murphy strikes and the entry gets removed during 
the scan: queue_Scan will dereference 0x0 -> next.

Actually: from experience I would argue that the number of "idle
threads" is pretty useless information anyway (as opposed to e.g. the
number of calls waiting!), so why count them.
In that case the "fix" would be to stuff 42 or whatever in there...


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke 
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland  
Phone: +41 22 767 8985       Fax: +41 22 767 7155 

--=-7T1zTfJ7hOip90Z81Vup
Content-Disposition: attachment; filename=patch_crash_rxdebug
Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; name=patch_crash_rxdebug; charset=ISO-8859-1

*** openafs/src/rx/rx_packet.c.orig	Fri May 23 08:52:31 2003
--- openafs/src/rx/rx_packet.c	Wed May 26 17:49:03 2004
***************
*** 1142,1147 ****
--- 1142,1148 ----
  #ifndef	RX_ENABLE_LOCKS
  	    tstat.waitingForPackets =3D rx_waitingForPackets;
  #endif
+ 	    MUTEX_ENTER(&rx_serverPool_lock);
  	    tstat.nFreePackets =3D htonl(rx_nFreePackets);
  	    tstat.callsExecuted =3D htonl(rxi_nCalls);
  	    tstat.packetReclaims =3D htonl(rx_packetReclaims);
***************
*** 1149,1154 ****
--- 1150,1156 ----
  	    tstat.nWaiting =3D htonl(rx_nWaiting);
  	    queue_Count( &rx_idleServerQueue, np, nqe,=20
  				rx_serverQueueEntry, tstat.idleThreads);=20
+ 	    MUTEX_EXIT(&rx_serverPool_lock);
  	    tstat.idleThreads =3D htonl(tstat.idleThreads);
  	    tl =3D sizeof(struct rx_debugStats) - ap->length;
  	    if (tl > 0)

--=-7T1zTfJ7hOip90Z81Vup--