From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Mon, 26 Aug 2013 14:13:06 +0000 (-0400)
Subject: Fix: metadata lttng channel refcount
X-Git-Tag: v2.3.0-rc2~1
X-Git-Url: http://git.lttng.org/?p=lttng-modules.git;a=commitdiff_plain;h=d4d4b9c765362750b023ac23161573113189620d

Fix: metadata lttng channel refcount

The OOPS at bug #622 is likely caused by a missing reference on the
lttng channel structure, which could lead to accessing the object after
it has been destroyed if the lttng channel file descriptor is closed
while the metadata stream fd is still in use.

Fixes #622

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Julien Desfossez <jdesfossez@efficios.com>
---

diff --git a/lttng-abi.c b/lttng-abi.c
index ba8362b1..26a456ec 100644
--- a/lttng-abi.c
+++ b/lttng-abi.c
@@ -686,8 +686,11 @@ int lttng_metadata_ring_buffer_release(struct inode *inode, struct file *file)
 {
 	struct lttng_metadata_stream *stream = file->private_data;
 	struct lib_ring_buffer *buf = stream->priv;
+	struct channel *chan = buf->backend.chan;
+	struct lttng_channel *lttng_chan = channel_get_private(chan);
 
 	kref_put(&stream->metadata_cache->refcount, metadata_cache_destroy);
+	fput(lttng_chan->file);
 
 	return lib_ring_buffer_release(inode, file, buf);
 }
@@ -819,6 +822,7 @@ int lttng_abi_open_metadata_stream(struct file *channel_file)
 	if (ret < 0)
 		goto fd_error;
 
+	atomic_long_inc(&channel_file->f_count);
 	kref_get(&session->metadata_cache->refcount);
 	list_add(&metadata_stream->list,
 		&session->metadata_cache->metadata_stream);