summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSoumya Koduri <skoduri@redhat.com>2017-11-03 15:41:34 +0530
committerKaleb S. KEITHLEY <kkeithle@redhat.com>2018-04-10 07:22:50 -0400
commit62f3b9c94a4e862d3c05d621696ef52584fb475a (patch)
tree6c2441a2d1e9d4bd7442298a758e61d8fe51ac65
parent9af1915e6135d5f699172f838342795b3b9d775d (diff)
timer: Fix possible race during cleanup
As mentioned in bug1509189, there is a possible race between gf_timer_cancel(), gf_timer_proc() and gf_timer_registry_destroy() leading to use_after_free. Problem: 1) gf_timer_proc() is called, locks reg, and gets an event. It unlocks reg, and calls the callback. 2) Meanwhile gf_timer_registry_destroy() is called, and removes reg from ctx, and joins on gf_timer_proc(). 3) gf_timer_call_cancel() is called on the event being processed. It cannot find reg (since it's been removed from reg), so it frees event. 4) the callback returns into gf_timer_proc(), and it tries to free event, but it's already free, so double free. Solution: The fix is to bail out in gf_timer_cancel() when registry is not found. The logic behind this is that, gf_timer_cancel() is called only on any existing event. That means there was a valid registry earlier while creating that event. And the only reason we cannot find that registry now is that it must have got set to NULL when context cleanup is started. Since gf_timer_proc() takes care of releasing all the remaining events active on that registry, it seems safe to bail out in gf_timer_cancel(). master https://review.gluster.org/18652 master BZ: 1509189 Change-Id: Ia9b088533141c3bb335eff2fe06b52d1575bb34f BUG: 1565590 Reported-by: Daniel Gryniewicz <dang@redhat.com> Signed-off-by: Soumya Koduri <skoduri@redhat.com> Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
-rw-r--r--libglusterfs/src/timer.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/libglusterfs/src/timer.c b/libglusterfs/src/timer.c
index 34dfd353bc8..d6f008d6017 100644
--- a/libglusterfs/src/timer.c
+++ b/libglusterfs/src/timer.c
@@ -83,6 +83,13 @@ gf_timer_call_cancel (glusterfs_ctx_t *ctx,
return 0;
}
+ if (ctx->cleanup_started) {
+ gf_msg_callingfn ("timer", GF_LOG_INFO, 0,
+ LG_MSG_CTX_CLEANUP_STARTED,
+ "ctx cleanup started");
+ return 0;
+ }
+
LOCK (&ctx->lock);
{
reg = ctx->timer;
@@ -90,9 +97,11 @@ gf_timer_call_cancel (glusterfs_ctx_t *ctx,
UNLOCK (&ctx->lock);
if (!reg) {
- gf_msg ("timer", GF_LOG_ERROR, 0, LG_MSG_INIT_TIMER_FAILED,
- "!reg");
- GF_FREE (event);
+ /* This can happen when cleanup may have just started and
+ * gf_timer_registry_destroy() sets ctx->timer to NULL.
+ * Just bail out as success as gf_timer_proc() takes
+ * care of cleaning up the events.
+ */
return 0;
}