[nfs-discuss] Code review: 6900751 Corrupt call_table / callist structure leads to networking hang

Wed, 16 Dec 2009 22:15:49 -0600 

Looks good -- 

(took me a couple of looks to see the additional "goto" at the end of the 
cku_err.re_why case statement(s) :) .. ) 

Robert.  

On Dec 16, 2009, at 11:09 AM, Marcel Telka wrote:

> Hi,
> 
> I would like to ask you for code review for this bug:
> 
> 6900751 Corrupt call_table / callist structure leads to networking hang
> 
> The webrev is available here:
> http://cr.opensolaris.org/~aragorn/6900751-rpcmod-calltable/
> 
> 
> Here is root cause of the problem:
> ==================================
> 
> clnt_clts_kcallit_addr() called AUTH_REFRESH() while the "call" was still in
> the call table. The AUTH_REFRESH() (in this case rpc_gss_refresh() function)
> just reused the "call" adding it to the call table again, but with different
> xid this time. This caused the call table corruption.
> 
> 
>    454 enum clnt_stat
>    455 clnt_clts_kcallit_addr(CLIENT *h, rpcproc_t procnum, xdrproc_t 
> xdr_args,
>    456        caddr_t argsp, xdrproc_t xdr_results, caddr_t resultsp,
>    457        struct timeval wait, struct netbuf *sin)
> 
> ...
> 
>    496 call_again:
> 
> ...
> 
>    584        error = clnt_clts_dispatch_send(p->cku_endpnt->e_wq, mp,
>    585            &p->cku_addr, call, p->cku_xid, p->cku_cred);   <--- HERE 
> the call is added to the call table
> 
> ...
> 
>    877                if (refreshes > 0 &&
>    878                    AUTH_REFRESH(h->cl_auth, &reply_msg, p->cku_cred))  
> {      <--- HERE we reused the call (we added it to the call table, then 
> removed it)
> 
> ...
> 
>    891                        call_table_remove(call);   <--- HERE we tried 
> to remove the already removed call
> 
> ...
> 
>    901                        goto call_again;
>    902                }
>    903                /*                <------ HERE we are aware that we 
> reused it (client handle contains the call in the structures)
>    904                 * We have used the client handle to do an AUTH_REFRESH
>    905                 * and the RPC status may be set to RPC_SUCCESS;
>    906                 * Let's make sure to set it to RPC_AUTHERROR.
>    907                 */
> 
> ...
> 
>    925                                call_table_remove(call);     <--- 
> different path where we tried to remove the already removed call
> 
> 
> 
> In addition, the webrev contains some cleanup and minor fixes in other parts 
> of
> the clnt_clts_kcallit_addr() function.
> 
> Should you have any question, please ask.
> 
> 
> Thank you.
> 
> -- 
> Marcel Telka
> Solaris RPE
> _______________________________________________
> nfs-discuss mailing list
> nfs-discuss at opensolaris.org

Reply via email to