[SCM] CTDB repository - branch master updated - ctdb-1.0.105-55-gb4a7efa
Ronnie Sahlberg
sahlberg at samba.org
Tue Dec 1 19:21:46 MST 2009
The branch, master has been updated
via b4a7efa7e53e060a91dea0e8e57b116e2aeacebf (commit)
via 22f00368b4cb3a6bfb92033a7dbe693d31b41a54 (commit)
via 4d0523dd94fb07e860b3e8118691f93d1ef8d0fa (commit)
via b5a21fd39269a6e2a9d1c8182dd42a1773ccbb3f (commit)
from 83e7c161efa93cd7acdfc803142b4fb3bfde7538 (commit)
http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b4a7efa7e53e060a91dea0e8e57b116e2aeacebf
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date: Wed Dec 2 13:17:12 2009 +1100
Use the PID we pick up from the domain socket when a client connects
and store this in the client structure.
There is no need to rely on the hack that samba sends some special message
handle registrations that encodes the pid in the srvid any more.
This might not work on AIX since I recall some issues to get the pid in
this way on that platform.
commit 22f00368b4cb3a6bfb92033a7dbe693d31b41a54
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date: Wed Dec 2 11:28:42 2009 +1100
version 1.0.107
commit 4d0523dd94fb07e860b3e8118691f93d1ef8d0fa
Author: Rusty Russell <rusty at rustcorp.com.au>
Date: Wed Dec 2 08:57:42 2009 +1030
ctdb_io: fix use-after-free on invalid packets
Wolfgang saw a talloc complaint about using freed memory in ctdb_tcp_read_cb.
His fix was to remove the talloc_free() in that function, which causes
loops when a socket is closed (as it does not get removed from the event
system), eg:
netcat 192.168.1.2 4379 < /dev/null
The real bug is that when we have more than one pending packet in the
queue, we loop calling the callback without any safeguards should that
callback free the queue (as it tends to do on invalid packets). This
can be reproduced by sending more than one bogus packet at once:
# Length word at start: 4 == empty packet (assumed little endian)
/usr/bin/printf \\4\\0\\0\\0\\4\\0\\0\\0 > /tmp/pkt
netcat 192.168.1.2 4379 < /tmp/pkt
Using a destructor we can check if the callback frees us, and exit
immediately. Elsewhere, we return after the callback anyway.
Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>
commit b5a21fd39269a6e2a9d1c8182dd42a1773ccbb3f
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date: Wed Dec 2 11:26:51 2009 +1100
version 1.0.106
-----------------------------------------------------------------------
Summary of changes:
common/ctdb_io.c | 20 +++++++++++++++++++-
packaging/RPM/ctdb.spec.in | 16 +++++++++++++++-
server/ctdb_daemon.c | 12 ++++--------
3 files changed, 38 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/common/ctdb_io.c b/common/ctdb_io.c
index 99180ce..28830d5 100644
--- a/common/ctdb_io.c
+++ b/common/ctdb_io.c
@@ -52,6 +52,7 @@ struct ctdb_queue {
size_t alignment;
void *private_data;
ctdb_queue_cb_fn_t callback;
+ bool *destroyed;
};
@@ -114,6 +115,8 @@ static void queue_io_read(struct ctdb_queue *queue)
/* we have at least one packet */
uint8_t *d2;
uint32_t len;
+ bool destroyed = false;
+
len = *(uint32_t *)data;
if (len == 0) {
/* bad packet! treat as EOF */
@@ -126,7 +129,15 @@ static void queue_io_read(struct ctdb_queue *queue)
/* sigh */
goto failed;
}
+
+ queue->destroyed = &destroyed;
queue->callback(d2, len, queue->private_data);
+ /* If callback freed us, don't do anything else. */
+ if (destroyed) {
+ return;
+ }
+ queue->destroyed = NULL;
+
data += len;
nread -= len;
}
@@ -337,7 +348,13 @@ int ctdb_queue_set_fd(struct ctdb_queue *queue, int fd)
return 0;
}
-
+/* If someone sets up this pointer, they want to know if the queue is freed */
+static int queue_destructor(struct ctdb_queue *queue)
+{
+ if (queue->destroyed != NULL)
+ *queue->destroyed = true;
+ return 0;
+}
/*
setup a packet queue on a socket
@@ -364,6 +381,7 @@ struct ctdb_queue *ctdb_queue_setup(struct ctdb_context *ctdb,
return NULL;
}
}
+ talloc_set_destructor(queue, queue_destructor);
return queue;
}
diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in
index 4ca58e9..90509d0 100644
--- a/packaging/RPM/ctdb.spec.in
+++ b/packaging/RPM/ctdb.spec.in
@@ -4,7 +4,7 @@ Summary: Clustered TDB
Vendor: Samba Team
Packager: Samba Team <samba at samba.org>
Name: ctdb
-Version: 1.0.105
+Version: 1.0.107
Release: 1GITHASH
Epoch: 0
License: GNU GPL version 3
@@ -118,6 +118,20 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/pkgconfig/ctdb.pc
%changelog
+* Wed Dec 2 2009 : Version 1.0.107
+ - fix for rusty to solve a double-free that can happen when there are
+ multiple packets queued and the connection is destroyed before
+ all packets are processed.
+* Tue Dec 1 2009 : Version 1.0.106
+ - Buildscript changes from Michael Adam
+ - Dont do a full recovery when there is a mismatch detected for ip addresses,
+ just do a less disruptive ip-reallocation
+ - When starting ctdbd, wait until all initial recoveries have finished
+ before we issue the "startup" event.
+ So dont start services or monitoring until the cluster has
+ stabilized.
+ - Major eventscript overhaul by Ronnie, Rusty and Martins and fixes of a few
+ bugs found.
* Thu Nov 19 2009 : Version 1.0.105
- Fix a bug where we could SEGV if multiple concurrent "ctdb eventscript ..."
are used and some of them block.
diff --git a/server/ctdb_daemon.c b/server/ctdb_daemon.c
index ab04371..8d85e76 100644
--- a/server/ctdb_daemon.c
+++ b/server/ctdb_daemon.c
@@ -150,13 +150,6 @@ int daemon_register_message_handler(struct ctdb_context *ctdb, uint32_t client_i
(unsigned long long)srvid));
}
- /* this is a hack for Samba - we now know the pid of the Samba client */
- if ((srvid & 0xFFFFFFFF) == srvid &&
- kill(srvid, 0) == 0) {
- client->pid = srvid;
- DEBUG(DEBUG_INFO,(__location__ " Registered PID %u for client %u\n",
- (unsigned)client->pid, client_id));
- }
return res;
}
@@ -571,12 +564,13 @@ static void ctdb_accept_client(struct event_context *ev, struct fd_event *fde,
#else
if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &crl) == 0) {
#endif
- talloc_asprintf(client, "struct ctdb_client: pid:%u", (unsigned)cr.pid);
+ DEBUG(DEBUG_ERR,("Connected client with pid:%u\n", (unsigned)cr.pid));
}
client->ctdb = ctdb;
client->fd = fd;
client->client_id = ctdb_reqid_new(ctdb, client);
+ client->pid = cr.pid;
ctdb->statistics.num_clients++;
client->queue = ctdb_queue_setup(ctdb, client, fd, CTDB_DS_ALIGNMENT,
@@ -1156,3 +1150,5 @@ int32_t ctdb_control_deregister_notify(struct ctdb_context *ctdb, uint32_t clien
return 0;
}
+
+
--
CTDB repository
More information about the samba-cvs
mailing list