The branch, 1.0.112 has been updated
via e2333774246b40d0e79c2d93873bc98a6369c42a (commit)
via 2a5e4101f87f763cb55b8d1f4ab6a521abd1e41d (commit)
from c19b5fcd1689149e750ccc0a7ac1934045b46e1c (commit)
http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=1.0.112
- Log -----------------------------------------------------------------
commit e2333774246b40d0e79c2d93873bc98a6369c42a
Author: Ronnie Sahlberg <ronniesahlb...@gmail.com>
Date: Mon Jul 26 15:26:33 2010 +1000
New version 1.0.112-29
- Fix for a SEGV that can happen when tcp tickles fail/timeout
CQ:S1019041
commit 2a5e4101f87f763cb55b8d1f4ab6a521abd1e41d
Author: Rusty Russell <ru...@rustcorp.com.au>
Date: Mon Jul 26 13:58:48 2010 +0930
takeover: prevent crash by avoiding free in traverse on RST timeout
After 5 attempts to send a RST to a client without any response, we free
"con"; this is done during a traverse. This frees the node we are walking
through (the node is made a child of "con" down in rb_tree.c's
trbt_create_node() (Valgrind would catch this, as Martin confirmed).
So, we create a temporary parent and reparent onto that; then we free
that parent after the traverse, thus deleting the unwanted nodes.
CQ:S1019041
Signed-off-by: Rusty Russell <ru...@rustcorp.com.au>
-----------------------------------------------------------------------
Summary of changes:
packaging/RPM/ctdb.spec.in | 6 +++++-
server/ctdb_takeover.c | 9 ++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in
index def3cce..625f3e3 100644
--- a/packaging/RPM/ctdb.spec.in
+++ b/packaging/RPM/ctdb.spec.in
@@ -5,7 +5,7 @@ Vendor: Samba Team
Packager: Samba Team <sa...@samba.org>
Name: ctdb
Version: 1.0.112
-Release: 28
+Release: 29
Epoch: 0
License: GNU GPL version 3
Group: System Environment/Daemons
@@ -125,6 +125,10 @@ rm -rf $RPM_BUILD_ROOT
%{_docdir}/ctdb/tests/bin/ctdb_transaction
%changelog
+* Mon Jul 26 2010 : Version 1.0.112-29
+ - Fix for a SEGV that can happen when tcp tickles fail/timeout
+ CQ:S1019041
+
* Wed Jul 21 2010 : Version 1.0.112-28
- Turn back on deterministic IPs by default
(needs more analysis)
diff --git a/server/ctdb_takeover.c b/server/ctdb_takeover.c
index ae6c064..6c771e0 100644
--- a/server/ctdb_takeover.c
+++ b/server/ctdb_takeover.c
@@ -1607,7 +1607,8 @@ static void tickle_connection_traverse(void *param, void
*data)
/* have tried too many times, just give up */
if (con->count >= 5) {
- talloc_free(con);
+ /* can't delete in traverse: reparent to delete_cons */
+ talloc_steal(param, con);
return;
}
@@ -1627,11 +1628,13 @@ static void ctdb_tickle_sentenced_connections(struct
event_context *ev, struct t
struct timeval t, void
*private_data)
{
struct ctdb_kill_tcp *killtcp = talloc_get_type(private_data, struct
ctdb_kill_tcp);
-
+ void *delete_cons = talloc_new(NULL);
/* loop over all connections sending tickle ACKs */
- trbt_traversearray32(killtcp->connections, KILLTCP_KEYLEN,
tickle_connection_traverse, NULL);
+ trbt_traversearray32(killtcp->connections, KILLTCP_KEYLEN,
tickle_connection_traverse, delete_cons);
+ /* now we've finished traverse, it's safe to do deletion. */
+ talloc_free(delete_cons);
/* If there are no more connections to kill we can remove the
entire killtcp structure
--
CTDB repository
