core: glusterfs encounter a SIGSEGV in __gf_free

[mohit84]

glusterfs encounter a SIGSEGV in __gf_free called from glusterfs_volfile_fetch_on

The glusterfs(fuse client) is showing a below stacktrace Program terminated with signal 11, Segmentation fault. #0 __gf_free (free_ptr=free_ptr@entry=0x556c7d749040) at mem-pool.c:326 326 if (!num_allocs) { (gdb) bt #0 __gf_free (free_ptr=free_ptr@entry=0x556c7d749040) at mem-pool.c:326 #1 0x0000556c64722f9c in STACK_DESTROY (stack=0x556c7d749040) at ../../libglusterfs/src/glusterfs/stack.h:199 #2 glusterfs_volfile_fetch_one (ctx=ctx@entry=0x556c6692e000, volfile_id=) at glusterfsd-mgmt.c:2269 #3 0x0000556c6472344a in glusterfs_volfile_fetch (ctx=ctx@entry=0x556c6692e000) at glusterfsd-mgmt.c:2293 #4 0x0000556c6471d1ac in reincarnate (signum=) at glusterfsd.c:1655 #5 glusterfs_sigwaiter (arg=) at glusterfsd.c:2411 #6 0x00007fb65ab82ea5 in start_thread (arg=0x7fb6523b0700) at pthread_create.c:307 #7 0x00007fb65a448b0d in gnu_dev_makedev (major=, minor=) at ../sysdeps/unix/sysv/linux/makedev.c:37 #8 0x0000000000000000 in ?? () (gdb)

After analyse a stacktrace we found the crash is due to double free in glusterfs_vofile_fetch_one. The function is calling mgmt_submit_request that is calling rpc_clnt_submit function. The rpc_clnt_submit function is calling cbkfn in case of error that eventually destroying the stacktrace and return an error to the parent. The parent function glusterfs_volfile_fetch_one is also calling STACK_DESTROY so the process is getting crash.

Solution: Avoid frame cleanup in case of error return by mgmt_submit_request.