Double free gsh_export entry on addexport command

The bug is easy to reproduce. Call dynamic export procedure to config with non existing path: dbus-send --print-reply --system --dest=org.ganesha.nfsd /org/ganesha/nfsd/ExportMgr org.ganesha.nfsd.exportmgr.AddExport string:/root/ganesha.conf string:"export(export_id=77)"

Config sample:

EXPORT
{
  Export_Id = 77;
  Path = /non_existing_path;
  Pseudo = /non_existing_path;
  Access_Type = RW;
  FSAL {
    Name = SOME_fSAL;
  }
}

Ganesha make double free of gsh_export struct. We call twice put_gsh_export(first in export_revert, second in out section in export_commit_common function) and free struct gsh_export. Then call export_init function from proc_bloc and free struct again:

static void *export_init(void *link_mem, void *self_struct)
{
    struct gsh_export *export;

    if (self_struct == NULL) {
        export = alloc_export();
        return export;
    } else { /* free resources case */
        export = self_struct;
        /* As part of create_export(), FSAL shall take
         * reference to the export if it supports pNFS.
         */
        if (export->has_pnfs_ds) {
            assert(export->refcnt == 1);
            /* export is not yet added to the export
             * manager. Hence there shall not be any
             * other thread racing here. So no need
             * to take lock. */
            export->has_pnfs_ds = false;
            pnfs_ds_remove(export->export_id, true);
        } else {
            assert(export->refcnt == 0);
            free_export(export);  /* <---------- double free memory */
        }

        return NULL;
    }
}

nfs-ganesha / nfs-ganesha

Double free gsh_export entry on addexport command #195