[Bugs] [Bug 1509189] New: timer: Possible race condition between gf_timer_* routines
bugzilla at redhat.com
bugzilla at redhat.com
Fri Nov 3 10:11:27 UTC 2017
https://bugzilla.redhat.com/show_bug.cgi?id=1509189
Bug ID: 1509189
Summary: timer: Possible race condition between gf_timer_*
routines
Product: GlusterFS
Version: mainline
Component: core
Severity: medium
Assignee: bugs at gluster.org
Reporter: skoduri at redhat.com
CC: bugs at gluster.org
Description of problem:
As mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1508817#c4, there
is a chance of hitting race between gf_timer_registry_destroy().
gf_timer_call_cancel() and gf_timer_proc() leading to use_after_free.
As explained by Dan, the flow is as below -
gf_timer_proc() is called, locks reg, and gets an event. It unlocks reg, and
calls the callback.
Now, gf_timer_registry_destroy() is called, and removes reg from ctx, and joins
on gf_timer_proc().
Now, gf_timer_call_cancel() is called on the event being processed. It cannot
find reg (since it's been removed from reg), so it frees event.
Now the callback returns into gf_timer_proc(), and it tries to free event, but
it's already free, so double free.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
More information about the Bugs
mailing list