Skip to content

Fix a race in isc_socket destruction.

Witold Krecicki requested to merge wpk/socket-destroy-race into master

There was a very slim chance of a race between isc_socket_detach and process_fd: isc_socket_detach decrements references to 0, and before it calls destroy gets preempted. Second thread calls process_fd, increments socket references temporarily to 1, and then gets preempted, first thread then hits assertion in destroy() as the reference counter is now 1 and not 0. To avoid that:

  1. Verify that we don't double-dereference a socket in isc_socket_detach (a sanity check)
  2. Lock the socket earlier in process_fd to do the reference inc/dec under lock
  3. Destroy the reference counter in destroy() under a lock

Closes: #1651 (closed)

Edited by Ondřej Surý

Merge request reports