tevent: Fix a race condition

We can't rely on tctx to exist after we unlocked the mutex. It took a while, but this does lead to data corruption. If *tctx is replaced with something where tctx->wakeup_fd points to a real, existing file descriptor, we're screwed. And by screwed, this means file corruption on disk. Again. I am not tall enough for this business. http://bholley.net/blog/2015/must-be-this-tall-to-write-multi-threaded-code.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=13130 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Nov 11 03:20:09 CET 2017 on sn-devel-144
samba-team · Nov 11, 2017 · 20cfcb7 · 20cfcb7
1 parent 71720e2
commit 20cfcb7
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/lib/tevent/tevent_threads.c b/lib/tevent/tevent_threads.c
@@ -451,7 +451,7 @@ void _tevent_threaded_schedule_immediate(struct tevent_threaded_context *tctx,
 {
 #ifdef HAVE_PTHREAD
 	struct tevent_context *ev;
-	int ret;
+	int ret, wakeup_fd;
 
 	ret = pthread_mutex_lock(&tctx->event_ctx_mutex);
 	if (ret != 0) {
@@ -495,6 +495,8 @@ void _tevent_threaded_schedule_immediate(struct tevent_threaded_context *tctx,
 		abort();
 	}
 
+	wakeup_fd = tctx->wakeup_fd;
+
 	ret = pthread_mutex_unlock(&tctx->event_ctx_mutex);
 	if (ret != 0) {
 		abort();
@@ -510,7 +512,7 @@ void _tevent_threaded_schedule_immediate(struct tevent_threaded_context *tctx,
 	 * than a noncontended one. So I'd opt for the lower footprint
 	 * initially. Maybe we have to change that later.
 	 */
-	tevent_common_wakeup_fd(tctx->wakeup_fd);
+	tevent_common_wakeup_fd(wakeup_fd);
 #else
 	/*
 	 * tevent_threaded_context_create() returned NULL with ENOSYS...