[Bugs] [Bug 1565590] timer: Possible race condition between gf_timer_* routines

bugzilla at redhat.com bugzilla at redhat.com
Thu Apr 12 05:20:09 UTC 2018 

https://bugzilla.redhat.com/show_bug.cgi?id=1565590

Worker Ant <bugzilla-bot at gluster.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|POST                        |MODIFIED



--- Comment #2 from Worker Ant <bugzilla-bot at gluster.org> ---
COMMIT: https://review.gluster.org/19840 committed in release-3.12 by "Kaleb
KEITHLEY" <kkeithle at redhat.com> with a commit message- timer: Fix possible race
during cleanup

As mentioned in bug1509189, there is a possible race
between gf_timer_cancel(), gf_timer_proc() and
gf_timer_registry_destroy() leading to use_after_free.

Problem:

1) gf_timer_proc() is called, locks reg, and gets an event.
It unlocks reg, and calls the callback.

2) Meanwhile gf_timer_registry_destroy() is called, and removes
reg from ctx, and joins on gf_timer_proc().

3) gf_timer_call_cancel() is called on the event being
processed.  It cannot find reg (since it's been removed from reg),
so it frees event.

4) the callback returns into gf_timer_proc(), and it tries to free
event, but it's already free, so double free.

Solution:
The fix is to bail out in gf_timer_cancel() when registry
is not found. The logic behind this is that, gf_timer_cancel()
is called only on any existing event. That means there was a valid
registry earlier while creating that event. And the only reason
we cannot find that registry now is that it must have got set to
NULL when context cleanup is started.
Since gf_timer_proc() takes care of releasing all the remaining
events active on that registry, it seems safe to bail out
in gf_timer_cancel().

master https://review.gluster.org/18652
master BZ: 1509189

Change-Id: Ia9b088533141c3bb335eff2fe06b52d1575bb34f
BUG: 1565590
Reported-by: Daniel Gryniewicz <dang at redhat.com>
Signed-off-by: Soumya Koduri <skoduri at redhat.com>
Signed-off-by: Kaleb S. KEITHLEY <kkeithle at redhat.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list