[Bugs] [Bug 1651165] New: Race in per-thread mem-pool when a thread is terminated
bugzilla at redhat.com
bugzilla at redhat.com
Mon Nov 19 10:39:44 UTC 2018
https://bugzilla.redhat.com/show_bug.cgi?id=1651165
Bug ID: 1651165
Summary: Race in per-thread mem-pool when a thread is
terminated
Product: GlusterFS
Version: mainline
Component: core
Severity: high
Assignee: bugs at gluster.org
Reporter: jahernan at redhat.com
CC: bugs at gluster.org
Description of problem:
There's a race that happens when a thread is terminated and a mem_put() of an
object allocated by that thread is executed at the same time.
It can cause memory corruption and/or use after free.
The issue appears when the following sequence of events happens:
1. Thread T1 allocates a memory object O1 from its own private pool P1
2. T1 terminates and P1 is marked to be destroyed
3. The mem-sweeper thread is woken up and scans all private pools
4. It detects that P1 needs to be destroyed and starts releasing the
objects from hot and cold lists.
5. Thread T2 releases O1
6. O1 is added to the hot list of P1
Steps 4 and 6 access the same list without proper locks, so the list can get
corrupted.
Version-Release number of selected component (if applicable): mainline
How reproducible:
Unknown. Seen the issue by inspecting the code.
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
More information about the Bugs
mailing list