Null pointer dereference in `afr_notify()` due to access after free in `afr_has_quorum`

[YifanZhang-311]

My GlusterFS version is 8.2.
The afr_notify() function can potentially access a null pointer because afr_has_quorum is called when this->private has already been freed (likely during volume fini process). This leads to a segmentation fault.

Steps to Reproduce:
1.Create 50 replica 3 volumes.
2.On either node1 or node2, execute remove-brick:
gluster volume remove-brick <vol_name> replica 2 hostname:brickpath
3.Perform peer detach:
gluster peer detach node3
4.Perform peer probe:
gluster peer probe node3
5.Execute add-brick:
gluster volume add-brick <vol_name> replica 3 hostname:brickpath
Repeat steps 2~5; there is a chance the issue will be reproduced.
After executing the script for approximately four hours, I managed to reproduce the problem.

GDB Stack Trace:
(gdb) bt full
#0 afr_has_quorum (subvols=0x7f57e5f21310 "", this=this@entry=0x7f57e4019ff0, frame=frame@entry=0x0)
at afr-transaction.c:838
__i = 0
__res = 0
quorum_count = 0
priv = 0x0
up_children_count = 0
#1 0x00007f592fc78da7 in afr_notify (this=0x7f57e4019ff0, event=, data=0x7f527ca43720,
data2=) at afr-common.c:6397
priv = 0x7f57e54b97d0
child_xlator = 0x7f527ca43720
i =
propagate =
had_heard_from_all =
have_heard_from_all =
idx =
ret = -1
call_psh = 0
up_child = -1
input = 0x0
output = 0x0
had_quorum =
has_quorum = false
halo_max_latency_msec =
child_latency_msec =
FUNCTION = "afr_notify"
#2 0x00007f592fc7931d in notify (this=, event=, data=)
at afr.c:42
ret = -1
ap = {{gp_offset = 24, fp_offset = 0, overflow_arg_area = 0x7f593cffcbc0,
reg_save_area = 0x7f593cffcb80}}
data2 =
#3 0x00007f5947627558 in xlator_notify (xl=0x7f57e4019ff0, event=event@entry=6,
data=data@entry=0x7f527ca43720) at xlator.c:693
old_THIS = 0x7f527ca43720
ret = 0
#4 0x00007f59476d4465 in default_notify (this=this@entry=0x7f527ca43720, event=event@entry=6,
data=data@entry=0x7f527d48e850) at defaults.c:3392
parent = 0x7f57e4013640
ret = 0
--Type for more, q to quit, c to continue without paging--q
(gdb) f 0
#0 afr_has_quorum (subvols=0x7f57e5f21310 "", this=this@entry=0x7f57e4019ff0, frame=frame@entry=0x0)
at afr-transaction.c:838
838 up_children_count = AFR_COUNT(subvols, priv->child_count);
(gdb) p this->private
$18 = (void *) 0x0
(gdb) f 1
#1 0x00007f592fc78da7 in afr_notify (this=0x7f57e4019ff0, event=, data=0x7f527ca43720,
data2=) at afr-common.c:6397
6397 has_quorum = afr_has_quorum(priv->child_up, this, NULL);
(gdb) p this->private
$19 = (void *) 0x0
(gdb) p priv
$20 = (afr_private_t *) 0x7f57e54b97d0