[asterisk-bugs] [Asterisk 0016678]: [patch] segfault on chanspy due to race in main/channel.c
Asterisk Bug Tracker
noreply at bugs.digium.com
Fri Feb 12 10:29:27 CST 2010
The following issue requires your FEEDBACK.
======================================================================
https://issues.asterisk.org/view.php?id=16678
======================================================================
Reported By: tim_ringenbach
Assigned To: dvossel
======================================================================
Project: Asterisk
Issue ID: 16678
Category: Applications/app_chanspy
Reproducibility: random
Severity: minor
Priority: normal
Status: feedback
Target Version: 1.4.31
Asterisk Version: 1.4.29
JIRA: SWP-783
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2010-01-22 17:52 CST
Last Modified: 2010-02-12 10:29 CST
======================================================================
Summary: [patch] segfault on chanspy due to race in
main/channel.c
Description:
When channel.c destroys the datastore on the channel, it doesn't hold the
channel lock while calling the destroy callback. It really ought to,
because otherwise it's accessing the datastore list without locking. I've
gotten a segfault trying to lock the mutex in the ds destroy function in
app_chanspy because of this race.
Holding the channel lock during the destroy should be safe because it is
also held during the fixup callback, and app_chanspy has already been
patched to avoid the possible deadlock from that locking order issue.
======================================================================
----------------------------------------------------------------------
(0118034) dvossel (administrator) - 2010-02-12 10:29
https://issues.asterisk.org/view.php?id=16678#c118034
----------------------------------------------------------------------
I've uploaded a patch that I believe will resolve the issue. It doesn't
look like the problem you are having has to do with locking. The chanspy
datastore is created on the stack, and the mutex is destroyed before
exiting the main chanspy function. Regardless if we lock the datastore's
channel during removal or not, if a channel still has the chanspy datastore
after the chanspy app exits it will crash. I believe the real fix is to
put a couple of checks in chanspy to guarantee this never happens. Please
test my patch and let me know if it resolves the issue.
I'm posting this patch on reviewboard as well. It will be at this link,
https://reviewboard.asterisk.org/r/500/
Issue History
Date Modified Username Field Change
======================================================================
2010-02-12 10:29 dvossel Note Added: 0118034
2010-02-12 10:29 dvossel Status assigned => feedback
======================================================================
More information about the asterisk-bugs
mailing list