Fix a data race in isc_task_purgeevent() (!8937) · Merge requests · ISC Open Source Projects / BIND

Arаm Sаrgsyаn requested to merge aram/isc_task_purgeevent-race-fix into bind-9.18 Apr 04, 2024

When isc_task_purgeevent() is called for an 'event', the event, in the meanwhile, could in theory get processed, unlinked, and freed. So when the function then operates on the 'event', it causes a segmentation fault.

The only place where isc_task_purgeevent() is called is from timer_purge().

In order to resolve the data race, call isc_task_purgeevent() inside the 'timer->lock' locked block, so that timerevent_destroy() won't be able to destroy the event if it was processed in the meanwhile, before isc_task_purgeevent() had a chance to purge it.

In order to be able to do that, move the responsibility of calling isc_event_free() (upon a successful purge) out from the isc_task_purgeevent() function to its caller instead, so that it can be called outside of the timer->lock locked block.

Edited Apr 04, 2024 by Arаm Sаrgsyаn

Fix a data race in isc_task_purgeevent()

Merge request reports