Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please age package corosync
* [f641780] New patch: stats: fix crash when iterating over deleted keys.
Cherry-picked from v3.1.4.
(change by Ferenc Wágner)
autopkgtest for corosync/3.1.2-2: amd64: Pass, arm64: Pass, armhf: Pass, i386:
Pass, ppc64el: Pass
Too young, only 7 of 20 days old
This would reach 20 days after the deadline July 17th.
diff -Nru corosync-3.1.2/debian/changelog corosync-3.1.2/debian/changelog
--- corosync-3.1.2/debian/changelog 2021-04-07 15:19:13.000000000 +0300
+++ corosync-3.1.2/debian/changelog 2021-07-05 10:11:09.000000000 +0300
@@ -1,3 +1,11 @@
+corosync (3.1.2-2) unstable; urgency=medium
+
+ * [f641780] New patch: stats: fix crash when iterating over deleted keys.
+ Cherry-picked from v3.1.4.
+ Thanks to Christine Caulfield
+
+ -- Ferenc Wágner <wf...@debian.org> Mon, 05 Jul 2021 09:11:09 +0200
+
corosync (3.1.2-1) unstable; urgency=medium
* [2c66d6d] New upstream release (3.1.2)
diff -Nru corosync-3.1.2/debian/patches/series
corosync-3.1.2/debian/patches/series
--- corosync-3.1.2/debian/patches/series 2021-04-07 15:18:49.000000000
+0300
+++ corosync-3.1.2/debian/patches/series 2021-07-05 10:08:39.000000000
+0300
@@ -2,3 +2,4 @@
Enable-PrivateTmp-in-the-systemd-service-files.patch
Make-the-example-config-valid.patch
man-corosync-cfgtool.8-use-proper-single-quotes.patch
+stats-fix-crash-when-iterating-over-deleted-keys.patch
diff -Nru
corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch
corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch
---
corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch
1970-01-01 02:00:00.000000000 +0200
+++
corosync-3.1.2/debian/patches/stats-fix-crash-when-iterating-over-deleted-keys.patch
2021-07-05 10:08:39.000000000 +0300
@@ -0,0 +1,64 @@
+From: Christine Caulfield <ccaul...@redhat.com>
+Date: Thu, 3 Jun 2021 07:53:28 +0100
+Subject: stats: fix crash when iterating over deleted keys
+
+The libqb map API leaves 'ownership' of the data with the caller
+but does its own lifetime management, so it can easily happen that
+map_rm() is called and the data deleted by the caller.
+But if an iterator is running over that item then the map entry
+will not get removed (leaving dangling pointers) until later.
+
+libqb has a hack-y callback that tells the owner when it is safe to
+delete the allocated memory, so we hook into that. icmap is already
+using this.
+
+Signed-off-by: Christine Caulfield <ccaul...@redhat.com>
+Reviewed-by: Jan Friesse <jfrie...@redhat.com>
+---
+ exec/stats.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/exec/stats.c b/exec/stats.c
+index d5c1cbc..d9fd115 100644
+--- a/exec/stats.c
++++ b/exec/stats.c
+@@ -270,6 +270,17 @@ static void stats_rm_entry(const char *key)
+
+ if (item) {
+ qb_map_rm(stats_map, item->key_name);
++ /* Structures freed in callback below */
++ }
++}
++
++static void stats_map_free_cb(uint32_t event,
++ char* key, void* old_value,
++ void* value, void* user_data)
++{
++ struct stats_item *item = (struct stats_item *)old_value;
++
++ if (item) {
+ free(item->key_name);
+ free(item);
+ }
+@@ -279,6 +290,7 @@ cs_error_t stats_map_init(const struct corosync_api_v1
*corosync_api)
+ {
+ int i;
+ char param[ICMAP_KEYNAME_MAXLEN];
++ int32_t err;
+
+ api = corosync_api;
+
+@@ -302,7 +314,12 @@ cs_error_t stats_map_init(const struct corosync_api_v1
*corosync_api)
+ }
+
+ /* KNET, IPCS & SCHEDMISS stats are added when appropriate */
+- return CS_OK;
++
++
++ /* Call us when we can free things */
++ err = qb_map_notify_add(stats_map, NULL, stats_map_free_cb,
QB_MAP_NOTIFY_FREE, NULL);
++
++ return (qb_to_cs_error(err));
+ }
+
+ cs_error_t stats_map_get(const char *key_name,
