1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/lib/tevent/tevent_threads.c
Volker Lendecke 1fe7ec237a tevent_threads: Fix a rundown race introduced with 1828011317
The race is easily reproduced by adding a poll(NULL,0,10) in between the two
pthread_mutex_unlock calls in _tevent_threaded_schedule_immediate.

Before 1828011317, the main thread was signalled only after the helper
had already unlocked event_ctx_mutex.

Full explaination follows:
-----------------------------------------------------------------
Inside _tevent_threaded_schedule_immediate() we have:

476         ret = pthread_mutex_unlock(&ev->scheduled_mutex);
477         if (ret != 0) {
478                 abort();
479         }

HERE!!!!

481         ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);
482         if (ret != 0) {
483                 abort();
484         }

At the HERE!!! point, what happens is tevent_common_threaded_activate_immediate(),
which is blocked on ev->scheduled_mutex, get released and does:

514         while (ev->scheduled_immediates != NULL) {
515                 struct tevent_immediate *im = ev->scheduled_immediates;
516                 DLIST_REMOVE(ev->scheduled_immediates, im);
517                 DLIST_ADD_END(ev->immediate_events, im);
518         }

- making an immediate event ready to be scheduled.

This then returns into epoll_event_loop_once(), which then calls:

910         if (ev->immediate_events &&
911             tevent_common_loop_immediate(ev)) {
912                 return 0;
913         }

which causes the immediate event to fire. This immediate
event is the pthread job terminate event, which was previously
set up in pthreadpool_tevent_job_signal() by:

198         if (state->tctx != NULL) {
199                 /* with HAVE_PTHREAD */
200                 tevent_threaded_schedule_immediate(state->tctx, state->im,
201                                                    pthreadpool_tevent_job_done,
202                                                    state);

So we now call pthreadpool_tevent_job_done() - which does:

225         TALLOC_FREE(state->tctx);

calling tevent_threaded_context_destructor():

384         ret = pthread_mutex_destroy(&tctx->event_ctx_mutex); <---------------- BOOM returns an error !
385         if (ret != 0) {
386                 abort();
387         }

as we haven't gotten to line 481 above (the line after
HERE!!!!) so the tctx->event_ctx_mutex is still
locked when we try to destroy it.

So doing an additional:

        ret = pthread_mutex_lock(&tctx->event_ctx_mutex);
        ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);

(error checking elided) forces tevent_threaded_context_destructor()
to wait until tctx->event_ctx_mutex is unlocked before it locks/unlocks
and then is guaranteed safe to destroy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-16 19:34:17 +02:00

548 lines
12 KiB
C

/*
tevent event library.
Copyright (C) Jeremy Allison 2015
** NOTE! The following LGPL license applies to the tevent
** library. This does NOT imply that all of Samba is released
** under the LGPL
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 3 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
#include "replace.h"
#include "system/filesys.h"
#include "talloc.h"
#include "tevent.h"
#include "tevent_internal.h"
#include "tevent_util.h"
#if defined(HAVE_PTHREAD)
#include <pthread.h>
struct tevent_immediate_list {
struct tevent_immediate_list *next, *prev;
tevent_immediate_handler_t handler;
struct tevent_immediate *im;
void *private_ptr;
};
struct tevent_thread_proxy {
pthread_mutex_t mutex;
struct tevent_context *dest_ev_ctx;
int read_fd;
int write_fd;
struct tevent_fd *pipe_read_fde;
/* Pending events list. */
struct tevent_immediate_list *im_list;
/* Completed events list. */
struct tevent_immediate_list *tofree_im_list;
struct tevent_immediate *free_im;
};
static void free_im_list(struct tevent_immediate_list **pp_list_head)
{
struct tevent_immediate_list *im_entry = NULL;
struct tevent_immediate_list *im_next = NULL;
for (im_entry = *pp_list_head; im_entry; im_entry = im_next) {
im_next = im_entry->next;
DLIST_REMOVE(*pp_list_head, im_entry);
TALLOC_FREE(im_entry);
}
}
static void free_list_handler(struct tevent_context *ev,
struct tevent_immediate *im,
void *private_ptr)
{
struct tevent_thread_proxy *tp =
talloc_get_type_abort(private_ptr, struct tevent_thread_proxy);
int ret;
ret = pthread_mutex_lock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return;
}
free_im_list(&tp->tofree_im_list);
ret = pthread_mutex_unlock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return;
}
}
static void schedule_immediate_functions(struct tevent_thread_proxy *tp)
{
struct tevent_immediate_list *im_entry = NULL;
struct tevent_immediate_list *im_next = NULL;
for (im_entry = tp->im_list; im_entry; im_entry = im_next) {
im_next = im_entry->next;
DLIST_REMOVE(tp->im_list, im_entry);
tevent_schedule_immediate(im_entry->im,
tp->dest_ev_ctx,
im_entry->handler,
im_entry->private_ptr);
/* Move from pending list to free list. */
DLIST_ADD(tp->tofree_im_list, im_entry);
}
if (tp->tofree_im_list != NULL) {
/*
* Once the current immediate events
* are processed, we need to reschedule
* ourselves to free them. This works
* as tevent_schedule_immediate()
* always adds events to the *END* of
* the immediate events list.
*/
tevent_schedule_immediate(tp->free_im,
tp->dest_ev_ctx,
free_list_handler,
tp);
}
}
static void pipe_read_handler(struct tevent_context *ev,
struct tevent_fd *fde,
uint16_t flags,
void *private_ptr)
{
struct tevent_thread_proxy *tp =
talloc_get_type_abort(private_ptr, struct tevent_thread_proxy);
ssize_t len = 64;
int ret;
ret = pthread_mutex_lock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return;
}
/*
* Clear out all data in the pipe. We
* don't really care if this returns -1.
*/
while (len == 64) {
char buf[64];
len = read(tp->read_fd, buf, 64);
};
schedule_immediate_functions(tp);
ret = pthread_mutex_unlock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return;
}
}
static int tevent_thread_proxy_destructor(struct tevent_thread_proxy *tp)
{
int ret;
ret = pthread_mutex_lock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return 0;
}
TALLOC_FREE(tp->pipe_read_fde);
if (tp->read_fd != -1) {
(void)close(tp->read_fd);
tp->read_fd = -1;
}
if (tp->write_fd != -1) {
(void)close(tp->write_fd);
tp->write_fd = -1;
}
/* Hmmm. It's probably an error if we get here with
any non-NULL immediate entries.. */
free_im_list(&tp->im_list);
free_im_list(&tp->tofree_im_list);
TALLOC_FREE(tp->free_im);
ret = pthread_mutex_unlock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return 0;
}
ret = pthread_mutex_destroy(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return 0;
}
return 0;
}
/*
* Create a struct that can be passed to other threads
* to allow them to signal the struct tevent_context *
* passed in.
*/
struct tevent_thread_proxy *tevent_thread_proxy_create(
struct tevent_context *dest_ev_ctx)
{
int ret;
int pipefds[2];
struct tevent_thread_proxy *tp;
tp = talloc_zero(dest_ev_ctx, struct tevent_thread_proxy);
if (tp == NULL) {
return NULL;
}
ret = pthread_mutex_init(&tp->mutex, NULL);
if (ret != 0) {
goto fail;
}
tp->dest_ev_ctx = dest_ev_ctx;
tp->read_fd = -1;
tp->write_fd = -1;
talloc_set_destructor(tp, tevent_thread_proxy_destructor);
ret = pipe(pipefds);
if (ret == -1) {
goto fail;
}
tp->read_fd = pipefds[0];
tp->write_fd = pipefds[1];
ret = ev_set_blocking(pipefds[0], false);
if (ret != 0) {
goto fail;
}
ret = ev_set_blocking(pipefds[1], false);
if (ret != 0) {
goto fail;
}
if (!ev_set_close_on_exec(pipefds[0])) {
goto fail;
}
if (!ev_set_close_on_exec(pipefds[1])) {
goto fail;
}
tp->pipe_read_fde = tevent_add_fd(dest_ev_ctx,
tp,
tp->read_fd,
TEVENT_FD_READ,
pipe_read_handler,
tp);
if (tp->pipe_read_fde == NULL) {
goto fail;
}
/*
* Create an immediate event to free
* completed lists.
*/
tp->free_im = tevent_create_immediate(tp);
if (tp->free_im == NULL) {
goto fail;
}
return tp;
fail:
TALLOC_FREE(tp);
return NULL;
}
/*
* This function schedules an immediate event to be called with argument
* *pp_private in the thread context of dest_ev_ctx. Caller doesn't
* wait for activation to take place, this is simply fire-and-forget.
*
* pp_im must be a pointer to an immediate event talloced on
* a context owned by the calling thread, or the NULL context.
* Ownership of *pp_im will be transfered to the tevent library.
*
* pp_private can be null, or contents of *pp_private must be
* talloc'ed memory on a context owned by the calling thread
* or the NULL context. If non-null, ownership of *pp_private will
* be transfered to the tevent library.
*
* If you want to return a message, have the destination use the
* same function call to send back to the caller.
*/
void tevent_thread_proxy_schedule(struct tevent_thread_proxy *tp,
struct tevent_immediate **pp_im,
tevent_immediate_handler_t handler,
void *pp_private_data)
{
struct tevent_immediate_list *im_entry;
int ret;
char c;
ssize_t written;
ret = pthread_mutex_lock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
return;
}
if (tp->write_fd == -1) {
/* In the process of being destroyed. Ignore. */
goto end;
}
/* Create a new immediate_list entry. MUST BE ON THE NULL CONTEXT */
im_entry = talloc_zero(NULL, struct tevent_immediate_list);
if (im_entry == NULL) {
goto end;
}
im_entry->handler = handler;
im_entry->im = talloc_move(im_entry, pp_im);
if (pp_private_data != NULL) {
void **pptr = (void **)pp_private_data;
im_entry->private_ptr = talloc_move(im_entry, pptr);
}
DLIST_ADD(tp->im_list, im_entry);
/* And notify the dest_ev_ctx to wake up. */
c = '\0';
do {
written = write(tp->write_fd, &c, 1);
} while (written == -1 && errno == EINTR);
end:
ret = pthread_mutex_unlock(&tp->mutex);
if (ret != 0) {
abort();
/* Notreached. */
}
}
#else
/* !HAVE_PTHREAD */
struct tevent_thread_proxy *tevent_thread_proxy_create(
struct tevent_context *dest_ev_ctx)
{
errno = ENOSYS;
return NULL;
}
void tevent_thread_proxy_schedule(struct tevent_thread_proxy *tp,
struct tevent_immediate **pp_im,
tevent_immediate_handler_t handler,
void *pp_private_data)
{
;
}
#endif
static int tevent_threaded_context_destructor(
struct tevent_threaded_context *tctx)
{
int ret;
if (tctx->event_ctx != NULL) {
DLIST_REMOVE(tctx->event_ctx->threaded_contexts, tctx);
}
/*
* We have to coordinate with _tevent_threaded_schedule_immediate's
* unlock of the event_ctx_mutex. We're in the main thread here,
* and we can be scheduled before the helper thread finalizes its
* call _tevent_threaded_schedule_immediate. This means we would
* pthreadpool_destroy a locked mutex, which is illegal.
*/
ret = pthread_mutex_lock(&tctx->event_ctx_mutex);
if (ret != 0) {
abort();
}
ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);
if (ret != 0) {
abort();
}
ret = pthread_mutex_destroy(&tctx->event_ctx_mutex);
if (ret != 0) {
abort();
}
return 0;
}
struct tevent_threaded_context *tevent_threaded_context_create(
TALLOC_CTX *mem_ctx, struct tevent_context *ev)
{
#ifdef HAVE_PTHREAD
struct tevent_threaded_context *tctx;
int ret;
ret = tevent_common_wakeup_init(ev);
if (ret != 0) {
errno = ret;
return NULL;
}
tctx = talloc(mem_ctx, struct tevent_threaded_context);
if (tctx == NULL) {
return NULL;
}
tctx->event_ctx = ev;
tctx->wakeup_fd = ev->wakeup_fd;
ret = pthread_mutex_init(&tctx->event_ctx_mutex, NULL);
if (ret != 0) {
TALLOC_FREE(tctx);
return NULL;
}
DLIST_ADD(ev->threaded_contexts, tctx);
talloc_set_destructor(tctx, tevent_threaded_context_destructor);
return tctx;
#else
errno = ENOSYS;
return NULL;
#endif
}
void _tevent_threaded_schedule_immediate(struct tevent_threaded_context *tctx,
struct tevent_immediate *im,
tevent_immediate_handler_t handler,
void *private_data,
const char *handler_name,
const char *location)
{
#ifdef HAVE_PTHREAD
struct tevent_context *ev;
int ret;
ret = pthread_mutex_lock(&tctx->event_ctx_mutex);
if (ret != 0) {
abort();
}
ev = tctx->event_ctx;
if (ev == NULL) {
/*
* Our event context is already gone.
*/
ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);
if (ret != 0) {
abort();
}
return;
}
if ((im->event_ctx != NULL) || (handler == NULL)) {
abort();
}
im->event_ctx = ev;
im->handler = handler;
im->private_data = private_data;
im->handler_name = handler_name;
im->schedule_location = location;
im->cancel_fn = NULL;
im->additional_data = NULL;
ret = pthread_mutex_lock(&ev->scheduled_mutex);
if (ret != 0) {
abort();
}
DLIST_ADD_END(ev->scheduled_immediates, im);
ret = pthread_mutex_unlock(&ev->scheduled_mutex);
if (ret != 0) {
abort();
}
ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);
if (ret != 0) {
abort();
}
/*
* We might want to wake up the main thread under the lock. We
* had a slightly similar situation in pthreadpool, changed
* with 1c4284c7395f23. This is not exactly the same, as the
* wakeup is only a last-resort thing in case the main thread
* is sleeping. Doing the wakeup under the lock can easily
* lead to a contended mutex, which is much more expensive
* than a noncontended one. So I'd opt for the lower footprint
* initially. Maybe we have to change that later.
*/
tevent_common_wakeup_fd(tctx->wakeup_fd);
#else
/*
* tevent_threaded_context_create() returned NULL with ENOSYS...
*/
abort();
#endif
}
void tevent_common_threaded_activate_immediate(struct tevent_context *ev)
{
#ifdef HAVE_PTHREAD
int ret;
ret = pthread_mutex_lock(&ev->scheduled_mutex);
if (ret != 0) {
abort();
}
while (ev->scheduled_immediates != NULL) {
struct tevent_immediate *im = ev->scheduled_immediates;
DLIST_REMOVE(ev->scheduled_immediates, im);
DLIST_ADD_END(ev->immediate_events, im);
}
ret = pthread_mutex_unlock(&ev->scheduled_mutex);
if (ret != 0) {
abort();
}
#else
/*
* tevent_threaded_context_create() returned NULL with ENOSYS...
*/
abort();
#endif
}