Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please age package corosync * [f641780] New patch: stats: fix crash when iterating over deleted keys. Cherry-picked from v3.1.4. (change by Ferenc Wágner) autopkgtest for corosync/3.1.2-2: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, ppc64el: Pass Too young, only 7 of 20 days old This would reach 20 days after the deadline July 17th.
diff -Nru corosync-3.1.2/debian/changelog corosync-3.1.2/debian/changelog --- corosync-3.1.2/debian/changelog 2021-04-07 15:19:13.000000000 +0300 +++ corosync-3.1.2/debian/changelog 2021-07-05 10:11:09.000000000 +0300 @@ -1,3 +1,11 @@ +corosync (3.1.2-2) unstable; urgency=medium + + * [f641780] New patch: stats: fix crash when iterating over deleted keys. + Cherry-picked from v3.1.4. + Thanks to Christine Caulfield + + -- Ferenc Wágner <wf...@debian.org> Mon, 05 Jul 2021 09:11:09 +0200 + corosync (3.1.2-1) unstable; urgency=medium * [2c66d6d] New upstream release (3.1.2) diff -Nru corosync-3.1.2/debian/patches/series corosync-3.1.2/debian/patches/series --- corosync-3.1.2/debian/patches/series 2021-04-07 15:18:49.000000000 +0300 +++ corosync-3.1.2/debian/patches/series 2021-07-05 10:08:39.000000000 +0300 @@ -2,3 +2,4 @@ Enable-PrivateTmp-in-the-systemd-service-files.patch Make-the-example-config-valid.patch man-corosync-cfgtool.8-use-proper-single-quotes.patch +stats-fix-crash-when-iterating-over-deleted-keys.patch diff -Nru corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch --- corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch 1970-01-01 02:00:00.000000000 +0200 +++ corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch 2021-07-05 10:08:39.000000000 +0300 @@ -0,0 +1,64 @@ +From: Christine Caulfield <ccaul...@redhat.com> +Date: Thu, 3 Jun 2021 07:53:28 +0100 +Subject: stats: fix crash when iterating over deleted keys + +The libqb map API leaves 'ownership' of the data with the caller +but does its own lifetime management, so it can easily happen that +map_rm() is called and the data deleted by the caller. +But if an iterator is running over that item then the map entry +will not get removed (leaving dangling pointers) until later. + +libqb has a hack-y callback that tells the owner when it is safe to +delete the allocated memory, so we hook into that. icmap is already +using this. + +Signed-off-by: Christine Caulfield <ccaul...@redhat.com> +Reviewed-by: Jan Friesse <jfrie...@redhat.com> +--- + exec/stats.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/exec/stats.c b/exec/stats.c +index d5c1cbc..d9fd115 100644 +--- a/exec/stats.c ++++ b/exec/stats.c +@@ -270,6 +270,17 @@ static void stats_rm_entry(const char *key) + + if (item) { + qb_map_rm(stats_map, item->key_name); ++ /* Structures freed in callback below */ ++ } ++} ++ ++static void stats_map_free_cb(uint32_t event, ++ char* key, void* old_value, ++ void* value, void* user_data) ++{ ++ struct stats_item *item = (struct stats_item *)old_value; ++ ++ if (item) { + free(item->key_name); + free(item); + } +@@ -279,6 +290,7 @@ cs_error_t stats_map_init(const struct corosync_api_v1 *corosync_api) + { + int i; + char param[ICMAP_KEYNAME_MAXLEN]; ++ int32_t err; + + api = corosync_api; + +@@ -302,7 +314,12 @@ cs_error_t stats_map_init(const struct corosync_api_v1 *corosync_api) + } + + /* KNET, IPCS & SCHEDMISS stats are added when appropriate */ +- return CS_OK; ++ ++ ++ /* Call us when we can free things */ ++ err = qb_map_notify_add(stats_map, NULL, stats_map_free_cb, QB_MAP_NOTIFY_FREE, NULL); ++ ++ return (qb_to_cs_error(err)); + } + + cs_error_t stats_map_get(const char *key_name,