[MDEV-28690] Releasing an not-acquired lock in the create_worker_threads - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.9.1, 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL)
Fix Version/s: 10.7.5, 10.3.36, 10.4.26, 10.5.17, 10.6.9, 10.8.4, 10.9.2
Component/s: Backup
Labels:
- leak
Environment:
All

Description

There is unlocking of a resource that is not locked, CWE-832, in the method create_worker_threads. That is, when "compress: pthread_create() failed", lock thd->ctrl_mutex is released. Yet, when coming to err branch, the lock is erroneously released again.

Location: https://github.com/MariaDB/server/blob/10.9/extra/mariabackup/ds_compress.cc#L364-L391

Thank you for your checking.

Attachments

Activity

Ascending order - Click to sort in descending order

Marko Mäkelä added a comment - 2022-05-29 08:31

Thank you for the report. I would say that normally, it is questionable to initialize and acquire thd->ctrl_mutex in the same function. If the acquisition is really necessary for correctness, it feels like there would be a race condition for the time window before the mutex was acquired.

In fact, all thd->ctrl_mutex should be unreachable to other threads except those that are being created by pthread_create() in create_worker_threads(). That is because the pointer to the array threads is local to the function create_worker_threads() until it is returned to the caller.

In fact, there is a double-unlock of the mutex in case any of the goto err is invoked.

Neither thd->ctrl_cond, thd->ctrl_mutex, nor thd->started are needed at all. We already clear thd->data_avail and thd->cancelled before calling pthread_create(). The logic around thd->data_mutex and thd->data_cond should suffice.

I spotted also a resource leak in the error handling code path: we would fail to stop already created threads and free the memory buffer.

Marko Mäkelä added a comment - 2022-05-29 08:31 Thank you for the report. I would say that normally, it is questionable to initialize and acquire thd->ctrl_mutex in the same function. If the acquisition is really necessary for correctness, it feels like there would be a race condition for the time window before the mutex was acquired. In fact, all thd->ctrl_mutex should be unreachable to other threads except those that are being created by pthread_create() in create_worker_threads() . That is because the pointer to the array threads is local to the function create_worker_threads() until it is returned to the caller. In fact, there is a double-unlock of the mutex in case any of the goto err is invoked. Neither thd->ctrl_cond , thd->ctrl_mutex , nor thd->started are needed at all. We already clear thd->data_avail and thd->cancelled before calling pthread_create() . The logic around thd->data_mutex and thd->data_cond should suffice. I spotted also a resource leak in the error handling code path: we would fail to stop already created threads and free the memory buffer.

Ryan added a comment - 2022-05-29 09:24

I think, your explanation is reasonable. Thank you for your quick fix!

Ryan added a comment - 2022-05-29 09:24 I think, your explanation is reasonable. Thank you for your quick fix!

People

Assignee:: Marko Mäkelä

Reporter:: Ryan

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2022-05-29 06:03

Updated:: 2022-07-13 14:55

Resolved:: 2022-05-30 13:11

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server