Fix a race in isc_socket destruction. (!3004) · Merge requests · ISC Open Source Projects / BIND

Witold Krecicki requested to merge wpk/socket-destroy-race into master Feb 05, 2020

There was a very slim chance of a race between isc_socket_detach and process_fd: isc_socket_detach decrements references to 0, and before it calls destroy gets preempted. Second thread calls process_fd, increments socket references temporarily to 1, and then gets preempted, first thread then hits assertion in destroy() as the reference counter is now 1 and not 0. To avoid that:

Verify that we don't double-dereference a socket in isc_socket_detach (a sanity check)
Lock the socket earlier in process_fd to do the reference inc/dec under lock
Destroy the reference counter in destroy() under a lock

Closes: #1651 (closed)

Edited Mar 03, 2020 by Ondřej Surý

Fix a race in isc_socket destruction.

Merge request reports