Juniper Openstack

Race condition in LifetimeManager could result in access to freed memory

Bug #1452122 reported by Nischal Sheth on 2015-05-06

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R2.20	Fix Committed	Medium	Nischal Sheth	Juniper Openstack r2.20-fcs
Trunk	Fix Committed	Medium	Nischal Sheth	Juniper Openstack r3.0-fcs

Bug Description

Access to freed memory can happen in the following scenario:

- LifetimeActor::Delete is called from main thread i.e. not from any Task
- LifetimeActor::Delete sets the deleted_ flag on the actor but it hasn't
yet enqueued the actor to the LifetimeManager
- LifetimeActor::RemoveDependency gets called on the actor in question
- If the dependent being removed is the last one, refcount_ is incremented
to 1 and the actor is added to LifetimeManager queue
- LifetimeManager::DeleteExecutor calls ReferenceDecrementAndTest on the
actor in question, which returns true because the deleted_ flag is set and
the refcount_ just became 0
- LifetimeManager::DeleteExecutor calls destroy on the actor
- LifetimeActor::Delete now calls LifetimeManager::Enqueue which accesses
the destroyed actor

Note that this problem will not happen if LifetimeActor::Delete is called
from any Task, since all Tasks are mutually exclusive with bgp::Config and
LifetimeManager::DeleteExecutor runs in context of bgp::Config Task.

Since LifetimeActor::Delete is called from main thread only during control
node shutdown and in unit tests, this problem shouldn't impact normal
operation of control node.

See original description

Tags:

Nischal Sheth (nsheth) on 2015-05-06

description:	updated
description:	updated

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-05-06: master

Review in progress for https://review.opencontrail.org/10015
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-05-06: R2.20

Review in progress for https://review.opencontrail.org/10017
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-05-10: A change has been merged

Reviewed: https://review.opencontrail.org/10015
Committed: http://github.org/Juniper/contrail-controller/commit/46f43c82cc11c801191e10b546fdac1d704d0be4
Submitter: Zuul
Branch: master

commit 46f43c82cc11c801191e10b546fdac1d704d0be4
Author: Nischal Sheth <email address hidden>
Date: Wed May 6 09:52:48 2015 -0700

Fix race condition in LifetimeManager

Use the mutex to prevent LifetimeActor::ReferenceDecrementAndTest
from running in parallel with LifetimeActor::Delete.

Change-Id: If539c9a2f5f84780e19128477fe62dc177006571
Closes-Bug: 1452122

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-05-10:

Reviewed: https://review.opencontrail.org/10017
Committed: http://github.org/Juniper/contrail-controller/commit/78d842d7b1108988bba85631fe25e005eadac9eb
Submitter: Zuul
Branch: R2.20

commit 78d842d7b1108988bba85631fe25e005eadac9eb
Author: Nischal Sheth <email address hidden>
Date: Wed May 6 09:52:48 2015 -0700

Fix race condition in LifetimeManager

Use the mutex to prevent LifetimeActor::ReferenceDecrementAndTest
from running in parallel with LifetimeActor::Delete.

Change-Id: If539c9a2f5f84780e19128477fe62dc177006571
Closes-Bug: 1452122

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.