[SCM] CTDB repository - branch master updated - ctdb-1.0.105-55-gb4a7efa

Ronnie Sahlberg sahlberg at samba.org
Tue Dec 1 19:21:46 MST 2009 

The branch, master has been updated
       via  b4a7efa7e53e060a91dea0e8e57b116e2aeacebf (commit)
       via  22f00368b4cb3a6bfb92033a7dbe693d31b41a54 (commit)
       via  4d0523dd94fb07e860b3e8118691f93d1ef8d0fa (commit)
       via  b5a21fd39269a6e2a9d1c8182dd42a1773ccbb3f (commit)
      from  83e7c161efa93cd7acdfc803142b4fb3bfde7538 (commit)

http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b4a7efa7e53e060a91dea0e8e57b116e2aeacebf
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date:   Wed Dec 2 13:17:12 2009 +1100

    Use the PID we pick up from the domain socket when a client connects
    and store this in the client structure.
    
    There is no need to rely on the hack that samba sends some special message
    handle registrations that encodes the pid in the srvid any more.
    
    This might not work on AIX since I recall some issues to get the pid in
    this way on that platform.

commit 22f00368b4cb3a6bfb92033a7dbe693d31b41a54
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date:   Wed Dec 2 11:28:42 2009 +1100

    version 1.0.107

commit 4d0523dd94fb07e860b3e8118691f93d1ef8d0fa
Author: Rusty Russell <rusty at rustcorp.com.au>
Date:   Wed Dec 2 08:57:42 2009 +1030

    ctdb_io: fix use-after-free on invalid packets
    
    Wolfgang saw a talloc complaint about using freed memory in ctdb_tcp_read_cb.
    His fix was to remove the talloc_free() in that function, which causes
    loops when a socket is closed (as it does not get removed from the event
    system), eg:
    	netcat 192.168.1.2 4379 < /dev/null
    
    The real bug is that when we have more than one pending packet in the
    queue, we loop calling the callback without any safeguards should that
    callback free the queue (as it tends to do on invalid packets).  This
    can be reproduced by sending more than one bogus packet at once:
    	# Length word at start: 4 == empty packet (assumed little endian)
    	/usr/bin/printf \\4\\0\\0\\0\\4\\0\\0\\0 > /tmp/pkt
    	netcat 192.168.1.2 4379 < /tmp/pkt
    
    Using a destructor we can check if the callback frees us, and exit
    immediately.  Elsewhere, we return after the callback anyway.
    
    Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>

commit b5a21fd39269a6e2a9d1c8182dd42a1773ccbb3f
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date:   Wed Dec 2 11:26:51 2009 +1100

    version 1.0.106

-----------------------------------------------------------------------

Summary of changes:
 common/ctdb_io.c           |   20 +++++++++++++++++++-
 packaging/RPM/ctdb.spec.in |   16 +++++++++++++++-
 server/ctdb_daemon.c       |   12 ++++--------
 3 files changed, 38 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/common/ctdb_io.c b/common/ctdb_io.c
index 99180ce..28830d5 100644
--- a/common/ctdb_io.c
+++ b/common/ctdb_io.c
@@ -52,6 +52,7 @@ struct ctdb_queue {
 	size_t alignment;
 	void *private_data;
 	ctdb_queue_cb_fn_t callback;
+	bool *destroyed;
 };
 
 
@@ -114,6 +115,8 @@ static void queue_io_read(struct ctdb_queue *queue)
 		/* we have at least one packet */
 		uint8_t *d2;
 		uint32_t len;
+		bool destroyed = false;
+
 		len = *(uint32_t *)data;
 		if (len == 0) {
 			/* bad packet! treat as EOF */
@@ -126,7 +129,15 @@ static void queue_io_read(struct ctdb_queue *queue)
 			/* sigh */
 			goto failed;
 		}
+
+		queue->destroyed = &destroyed;
 		queue->callback(d2, len, queue->private_data);
+		/* If callback freed us, don't do anything else. */
+		if (destroyed) {
+			return;
+		}
+		queue->destroyed = NULL;
+
 		data += len;
 		nread -= len;		
 	}
@@ -337,7 +348,13 @@ int ctdb_queue_set_fd(struct ctdb_queue *queue, int fd)
 	return 0;
 }
 
-
+/* If someone sets up this pointer, they want to know if the queue is freed */
+static int queue_destructor(struct ctdb_queue *queue)
+{
+	if (queue->destroyed != NULL)
+		*queue->destroyed = true;
+	return 0;
+}
 
 /*
   setup a packet queue on a socket
@@ -364,6 +381,7 @@ struct ctdb_queue *ctdb_queue_setup(struct ctdb_context *ctdb,
 			return NULL;
 		}
 	}
+	talloc_set_destructor(queue, queue_destructor);
 
 	return queue;
 }
diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in
index 4ca58e9..90509d0 100644
--- a/packaging/RPM/ctdb.spec.in
+++ b/packaging/RPM/ctdb.spec.in
@@ -4,7 +4,7 @@ Summary: Clustered TDB
 Vendor: Samba Team
 Packager: Samba Team <samba at samba.org>
 Name: ctdb
-Version: 1.0.105
+Version: 1.0.107
 Release: 1GITHASH
 Epoch: 0
 License: GNU GPL version 3
@@ -118,6 +118,20 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/pkgconfig/ctdb.pc
 
 %changelog
+* Wed Dec 2 2009 : Version 1.0.107
+ - fix for rusty to solve a double-free that can happen when there are
+   multiple packets queued and the connection is destroyed before
+   all packets are processed.
+* Tue Dec 1 2009 : Version 1.0.106
+ - Buildscript changes from Michael Adam
+ - Dont do a full recovery when there is a mismatch detected for ip addresses,
+   just do a less disruptive ip-reallocation
+ - When starting ctdbd, wait until all initial recoveries have finished 
+   before we issue the "startup" event.
+   So dont start services or monitoring until the cluster has
+   stabilized.
+ - Major eventscript overhaul by Ronnie, Rusty and Martins and fixes of a few
+   bugs found.
 * Thu Nov 19 2009 : Version 1.0.105
  - Fix a bug where we could SEGV if multiple concurrent "ctdb eventscript ..."
    are used and some of them block.
diff --git a/server/ctdb_daemon.c b/server/ctdb_daemon.c
index ab04371..8d85e76 100644
--- a/server/ctdb_daemon.c
+++ b/server/ctdb_daemon.c
@@ -150,13 +150,6 @@ int daemon_register_message_handler(struct ctdb_context *ctdb, uint32_t client_i
 			 (unsigned long long)srvid));
 	}
 
-	/* this is a hack for Samba - we now know the pid of the Samba client */
-	if ((srvid & 0xFFFFFFFF) == srvid &&
-	    kill(srvid, 0) == 0) {
-		client->pid = srvid;
-		DEBUG(DEBUG_INFO,(__location__ " Registered PID %u for client %u\n",
-			 (unsigned)client->pid, client_id));
-	}
 	return res;
 }
 
@@ -571,12 +564,13 @@ static void ctdb_accept_client(struct event_context *ev, struct fd_event *fde,
 #else
 	if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &crl) == 0) {
 #endif
-		talloc_asprintf(client, "struct ctdb_client: pid:%u", (unsigned)cr.pid);
+		DEBUG(DEBUG_ERR,("Connected client with pid:%u\n", (unsigned)cr.pid));
 	}
 
 	client->ctdb = ctdb;
 	client->fd = fd;
 	client->client_id = ctdb_reqid_new(ctdb, client);
+	client->pid = cr.pid;
 	ctdb->statistics.num_clients++;
 
 	client->queue = ctdb_queue_setup(ctdb, client, fd, CTDB_DS_ALIGNMENT, 
@@ -1156,3 +1150,5 @@ int32_t ctdb_control_deregister_notify(struct ctdb_context *ctdb, uint32_t clien
 
 	return 0;
 }
+
+


-- 
CTDB repository

More information about the samba-cvs mailing list