From 4a6fa39ff96e10b1f36b0656ca27ea74f20ff110 Mon Sep 17 00:00:00 2001 From: Amitay Isaacs Date: Mon, 29 Oct 2012 14:56:10 +1100 Subject: daemon: Protect against double free of callback state while shutting down When CTDB is shut down and monitoring has been stopped, monitor_context gets freed and all the callback states hanging off it. This includes callback state for current_monitor, if the current monitor event has not yet finished. As a result, when the shutdown event is called, current_monitor->callback state is not NULL, but it's actually freed and it's a dangling reference. So before executing callback function and freeing callback state check if ctdb->monitor->monitor_context is not NULL. Signed-off-by: Amitay Isaacs (This used to be ctdb commit 7d8546ee4353851f0543d0ca2c4c67cb0cc75aea) --- ctdb/include/ctdb_private.h | 1 + ctdb/server/ctdb_monitor.c | 7 +++++++ ctdb/server/eventscript.c | 5 +++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ctdb/include/ctdb_private.h b/ctdb/include/ctdb_private.h index fb541958f4..5b519fbc68 100644 --- a/ctdb/include/ctdb_private.h +++ b/ctdb/include/ctdb_private.h @@ -1343,6 +1343,7 @@ int ctdb_repack(struct ctdb_context *ctdb, int argc, const char **argv); void ctdb_block_signal(int signum); void ctdb_unblock_signal(int signum); int32_t ctdb_monitoring_mode(struct ctdb_context *ctdb); +bool ctdb_stopped_monitoring(struct ctdb_context *ctdb); int ctdb_set_child_logging(struct ctdb_context *ctdb); void ctdb_lockdown_memory(struct ctdb_context *ctdb); diff --git a/ctdb/server/ctdb_monitor.c b/ctdb/server/ctdb_monitor.c index bc21e5bb1d..984f947a3b 100644 --- a/ctdb/server/ctdb_monitor.c +++ b/ctdb/server/ctdb_monitor.c @@ -506,3 +506,10 @@ int32_t ctdb_monitoring_mode(struct ctdb_context *ctdb) return ctdb->monitor->monitoring_mode; } +/* + * Check if monitoring has been stopped + */ +bool ctdb_stopped_monitoring(struct ctdb_context *ctdb) +{ + return (ctdb->monitor->monitor_context == NULL ? true : false); +} diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c index 6a75877bff..762f9506fa 100644 --- a/ctdb/server/eventscript.c +++ b/ctdb/server/eventscript.c @@ -781,8 +781,9 @@ static int ctdb_event_script_callback_v(struct ctdb_context *ctdb, if (ctdb->current_monitor) { struct ctdb_event_script_state *ms = talloc_get_type(ctdb->current_monitor, struct ctdb_event_script_state); - /* cancel it */ - if (ms->callback != NULL) { + /* Cancel current monitor callback state only if monitoring + * context ctdb->monitor->monitor_context has not been freed */ + if (ms->callback != NULL && !ctdb_stopped_monitoring(ctdb)) { ms->callback->fn(ctdb, -ECANCELED, ms->callback->private_data); talloc_free(ms->callback); } -- cgit