Fix: action executor: ref count imbalance for session object
authorJonathan Rajotte <jonathan.rajotte-julien@efficios.com>
Thu, 11 Nov 2021 20:02:54 +0000 (15:02 -0500)
committerJérémie Galarneau <jeremie.galarneau@efficios.com>
Fri, 17 Dec 2021 05:31:09 +0000 (00:31 -0500)
commitfa9611b15d5090a6b88221ea1fccfef897f12544
tree9eedd7fb8dc977823aec5e717e4ff76f8678eae8
parent4aef56636dd6e985ade1458597be2993df6e848f
Fix: action executor: ref count imbalance for session object

Observed issue
==============

The following scenario leads to a hang on `lttng destroy`.

 # Start lttng-sessiond under gdb
 $ gdb lttng-sessiond
     set pagination off
     set non-stop
     start
     break action_executor_snapshot_session_handler

 $ lttng add-trigger --name my_trigger --condition=event-rule-matches --type=user:tracepoint --name=sample_component:message --action=snapshot-session my_snapshot
 $ lttng create --snapshot my_snapshot
 $ lttng enable-event -u -a
 $ lttng start

 $ start an app producing a single sample_component:message

 # gdb should break on thread 6

 # inside gdb
thread 6

 $ lttng destroy my_snapshot
 $ lttng create --snapshot my_snapshot
 $ lttng enable-event -u -a
 $ lttng start

 # inside gdb use `continue`

 $ lttng destroy my_snapshot

  The destroy command hang:

  Destroying session my_snapshot.... ....

Cause
=====

The scenario forces the usage of the following code path:

 if (session->id != LTTNG_OPTIONAL_GET(item->context.session_id)) {
  624├───────────────> DBG("Session id for session `%s` (id: %" PRIu64
  625│                     " is not the same that was sampled (id: %" PRIu64
  626│                     " at the moment the work item was enqueued for %s` action of trigger `%s`",
  627│                                 session_name, session->id,
  628│                                 LTTNG_OPTIONAL_GET(item->context.session_id),
  629│                                 get_action_name(action),
  630│                                 get_trigger_name(work_item->trigger));
  631│                 ret = 0;
  632│                 goto error_unlock_list;
  633│         }

At that point a reference on the session object was taken on line:

 610│         session = session_find_by_name(session_name);

But the reference is never put on `error_unlock_list` resulting in a ref
count problem.

Solution
========

Use `session_put` for the code path.

Note that most of the handler also have the same problem that was
introduced by commit 72365501d3148ca977a09bad8de0ec51b427bdd8 [1]

Known drawbacks
=========

None.

Refs
=========
[1] https://github.com/lttng/lttng-tools/commit/72365501d3148ca977a09bad8de0ec51b427bdd8

Signed-off-by: Jonathan Rajotte <jonathan.rajotte-julien@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: I23c3c089866df74854bbfe64320310c4b28ee41d
src/bin/lttng-sessiond/action-executor.c
This page took 0.027303 seconds and 4 git commands to generate.