[Asterisk-code-review] Bridging: Use a ref to bridge_channel's channel to prevent crash. (asterisk[17])
Joshua Colp
asteriskteam at digium.com
Thu Sep 10 05:56:47 CDT 2020
Joshua Colp has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/14869 )
Change subject: Bridging: Use a ref to bridge_channel's channel to prevent crash.
......................................................................
Bridging: Use a ref to bridge_channel's channel to prevent crash.
There's a race condition with bridging where a bridge can be torn down
causing the bridge_channel's ast_channel to become NULL when it's still
needed. This particular case happened with attended transfers, but the
crash occurred when trying to publish a stasis message. Now, the
bridge_channel is locked, a ref to the ast_channel is obtained, and that
ref is passed down the chain.
Change-Id: Ic48715c0c041615d17d286790ae3e8c61bb28814
---
M include/asterisk/bridge_channel.h
M main/bridge.c
M main/bridge_channel.c
3 files changed, 52 insertions(+), 3 deletions(-)
Approvals:
Joshua Colp: Looks good to me, but someone else must approve; Approved for Submit
Kevin Harwell: Looks good to me, approved
George Joseph: Looks good to me, but someone else must approve
diff --git a/include/asterisk/bridge_channel.h b/include/asterisk/bridge_channel.h
index 4504d6b..fb2fd4f 100644
--- a/include/asterisk/bridge_channel.h
+++ b/include/asterisk/bridge_channel.h
@@ -194,6 +194,20 @@
};
/*!
+ * \brief Get a ref to the bridge_channel's ast_channel
+ *
+ * \param bridge_channel The bridge channel
+ *
+ * \note The returned channel NEEDS to be unref'd once you are done with it. In general, this
+ * function is best used when accessing the bridge_channel chan from outside of a bridging
+ * thread.
+ *
+ * \retval ref'd ast_channel on success
+ * \retval NULL otherwise
+ */
+struct ast_channel *ast_bridge_channel_get_chan(struct ast_bridge_channel *bridge_channel);
+
+/*!
* \brief Try locking the bridge_channel.
*
* \param bridge_channel What to try locking
diff --git a/main/bridge.c b/main/bridge.c
index 9304495..d25ffdf 100644
--- a/main/bridge.c
+++ b/main/bridge.c
@@ -1728,7 +1728,10 @@
ast_channel_lock(chan);
ast_channel_internal_bridge_channel_set(chan, NULL);
ast_channel_unlock(chan);
+ /* Due to a race condition, we lock the bridge channel here for ast_bridge_channel_get_chan */
+ ao2_lock(bridge_channel);
bridge_channel->chan = NULL;
+ ao2_unlock(bridge_channel);
/* If bridge_channel->swap is not NULL then the join failed. */
ao2_t_cleanup(bridge_channel->swap, "Bridge complete: join failed");
bridge_channel->swap = NULL;
@@ -1797,7 +1800,10 @@
ast_channel_lock(chan);
ast_channel_internal_bridge_channel_set(chan, NULL);
ast_channel_unlock(chan);
+ /* Lock here for ast_bridge_channel_get_chan */
+ ao2_lock(bridge_channel);
bridge_channel->chan = NULL;
+ ao2_unlock(bridge_channel);
/* If bridge_channel->swap is not NULL then the join failed. */
ao2_t_cleanup(bridge_channel->swap, "Bridge complete: Independent impart join failed");
bridge_channel->swap = NULL;
@@ -1898,7 +1904,10 @@
ast_channel_lock(chan);
ast_channel_internal_bridge_channel_set(chan, NULL);
ast_channel_unlock(chan);
+ /* Lock here for ast_bridge_channel_get_chan */
+ ao2_lock(bridge_channel);
bridge_channel->chan = NULL;
+ ao2_unlock(bridge_channel);
ao2_t_cleanup(bridge_channel->swap, "Bridge complete: Impart failed");
bridge_channel->swap = NULL;
ast_bridge_features_destroy(bridge_channel->features);
@@ -4749,14 +4758,22 @@
if (to_transferee_bridge_channel) {
/* Take off hold if they are on hold. */
- ast_bridge_channel_write_unhold(to_transferee_bridge_channel);
+ if (ast_bridge_channel_write_unhold(to_transferee_bridge_channel)) {
+ ast_log(LOG_ERROR, "Transferee channel disappeared during transfer!\n");
+ res = AST_BRIDGE_TRANSFER_FAIL;
+ goto end;
+ }
}
if (to_target_bridge_channel) {
const char *target_complete_sound;
/* Take off hold if they are on hold. */
- ast_bridge_channel_write_unhold(to_target_bridge_channel);
+ if (ast_bridge_channel_write_unhold(to_target_bridge_channel)) {
+ ast_log(LOG_ERROR, "Target channel disappeared during transfer!\n");
+ res = AST_BRIDGE_TRANSFER_FAIL;
+ goto end;
+ }
/* Is there a courtesy sound to play to the target? */
ast_channel_lock(to_transfer_target);
diff --git a/main/bridge_channel.c b/main/bridge_channel.c
index ade98fd..3c5e87b 100644
--- a/main/bridge_channel.c
+++ b/main/bridge_channel.c
@@ -208,6 +208,17 @@
ast_sem_post(&sync_struct->sem);
}
+struct ast_channel *ast_bridge_channel_get_chan(struct ast_bridge_channel *bridge_channel)
+{
+ struct ast_channel *chan;
+
+ ao2_lock(bridge_channel);
+ chan = ao2_bump(bridge_channel->chan);
+ ao2_unlock(bridge_channel);
+
+ return chan;
+}
+
void ast_bridge_channel_lock_bridge(struct ast_bridge_channel *bridge_channel)
{
struct ast_bridge *bridge;
@@ -1177,7 +1188,14 @@
int ast_bridge_channel_write_unhold(struct ast_bridge_channel *bridge_channel)
{
- ast_channel_publish_cached_blob(bridge_channel->chan, ast_channel_unhold_type(), NULL);
+ struct ast_channel *chan = ast_bridge_channel_get_chan(bridge_channel);
+
+ if (!chan) {
+ return -1;
+ }
+
+ ast_channel_publish_cached_blob(chan, ast_channel_unhold_type(), NULL);
+ ao2_ref(chan, -1);
return ast_bridge_channel_write_control_data(bridge_channel, AST_CONTROL_UNHOLD, NULL, 0);
}
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/14869
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 17
Gerrit-Change-Id: Ic48715c0c041615d17d286790ae3e8c61bb28814
Gerrit-Change-Number: 14869
Gerrit-PatchSet: 4
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20200910/9c07679a/attachment-0001.html>
More information about the asterisk-code-review
mailing list