Add client references

We have a use-after-free in the fio_handle_clients() loop.
If we receive a QUIT command, we remove the client in
fio_handle_client(). But fio_handle_clients() doesn't
have a way to detect this, so it checks client->error
after it has potentially been freed.

Add a simple reference to get rid of this problem.

Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/client.c b/client.c
index a65cbcba9d505795f76eb72ce2ad958c87569c97..b0ccad0481699fa1fc54178ebff6672618cf9e52 100644 (file)
--- a/client.c
+++ b/client.c
@@ -93,8 +93,10 @@ static struct fio_client *find_client_by_fd(int fd)
        flist_for_each(entry, &client_hash[bucket]) {
                client = flist_entry(entry, struct fio_client, hash_list);
 
-               if (client->fd == fd)
+               if (client->fd == fd) {
+                       client->refs++;
                        return client;
+               }
        }
 
        return NULL;
@@ -102,6 +104,11 @@ static struct fio_client *find_client_by_fd(int fd)
 
 static void remove_client(struct fio_client *client)
 {
+       assert(client->refs);
+
+       if (--client->refs)
+               return;
+
        dprint(FD_NET, "client: removed <%s>\n", client->hostname);
        flist_del(&client->list);
 
@@ -123,6 +130,11 @@ static void remove_client(struct fio_client *client)
        sum_stat_clients--;
 }
 
+static void put_client(struct fio_client *client)
+{
+       remove_client(client);
+}
+
 static void __fio_client_add_cmd_option(struct fio_client *client,
                                        const char *opt)
 {
@@ -187,6 +199,7 @@ struct fio_client *fio_client_add_explicit(struct client_ops *ops,
 
        client->fd = -1;
        client->ops = ops;
+       client->refs = 1;
 
        __fio_client_add_cmd_option(client, "fio");
 
@@ -235,6 +248,7 @@ int fio_client_add(struct client_ops *ops, const char *hostname, void **cookie)
 
        client->fd = -1;
        client->ops = ops;
+       client->refs = 1;
 
        __fio_client_add_cmd_option(client, "fio");
 
@@ -1116,6 +1130,7 @@ int fio_handle_clients(struct client_ops *ops)
                                retval = 1;
                        } else if (client->error)
                                retval = 1;
+                       put_client(client);
                }
        }
 

diff --git a/client.h b/client.h
index d0f9b28101d17bbefe24133baacb25380447c8ab..213987ca4511df538ca383082ed6e0b33eea34eb 100644 (file)
--- a/client.h
+++ b/client.h
@@ -23,6 +23,7 @@ struct fio_client {
        char *hostname;
        int port;
        int fd;
+       unsigned int refs;
 
        char *name;