Fix: race between statedump and library destructor
authorMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Thu, 20 Sep 2018 18:11:17 +0000 (14:11 -0400)
committerMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Thu, 20 Sep 2018 19:12:33 +0000 (15:12 -0400)
The locking scheme for ust_lock() returns a teardown state (variable
lttng_ust_comm_should_quit) which is set by library destructor with lock
held.

It requires that when ust listener threads use this lock to protect
against concurrent accesses to a data structure, in addition to take
the lock, they need to check the return value of ust_lock() and
skip their critical section entirely if the return value indicates
that teardown is ongoing.

Iteration over all loaded libraries by lttng_ust_dl_update() starts by
iter_begin which grabs the lock, and sets data->cancel state
appropriately if teardown is ongoing. Then extract_bin_info_events()
uses the data->cancel state to skip over use of the protected structures
as needed, but iter_end() fails to take this data->cancel state into
account. Therefore, it can access data structures concurrently while
their teardown is ongoing which leads to crashes.

Fixes: #1169
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
liblttng-ust/lttng-ust-statedump.c

index efa8a55aa675771c50ac57031c985f1787c70e21..f40b7195af4f9474d946609192423a22f8fbd76f 100644 (file)
@@ -414,6 +414,8 @@ void iter_end(struct dl_iterate_data *data, void *ip)
 {
        unsigned int i;
 
+       if (data->cancel)
+               goto end;
        /*
         * Iterate on hash table.
         * For each marked, traced, do nothing.
@@ -441,6 +443,7 @@ void iter_end(struct dl_iterate_data *data, void *ip)
                        }
                }
        }
+end:
        ust_unlock();
 }
 
This page took 0.024965 seconds and 4 git commands to generate.