[MDEV-28690] Releasing an not-acquired lock in the create_worker_threads Created: 2022-05-29 Updated: 2022-07-13 Resolved: 2022-05-30 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Backup |
| Affects Version/s: | 10.9.1, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8 |
| Fix Version/s: | 10.3.36, 10.4.26, 10.5.17, 10.6.9, 10.7.5, 10.8.4, 10.9.2 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Ryan | Assignee: | Marko Mäkelä |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | leak | ||
| Environment: |
All |
||
| Description |
|
There is unlocking of a resource that is not locked, CWE-832, in the method create_worker_threads. That is, when "compress: pthread_create() failed", lock thd->ctrl_mutex is released. Yet, when coming to err branch, the lock is erroneously released again. Location: https://github.com/MariaDB/server/blob/10.9/extra/mariabackup/ds_compress.cc#L364-L391 Thank you for your checking. |
| Comments |
| Comment by Marko Mäkelä [ 2022-05-29 ] |
|
Thank you for the report. I would say that normally, it is questionable to initialize and acquire thd->ctrl_mutex in the same function. If the acquisition is really necessary for correctness, it feels like there would be a race condition for the time window before the mutex was acquired. In fact, all thd->ctrl_mutex should be unreachable to other threads except those that are being created by pthread_create() in create_worker_threads(). That is because the pointer to the array threads is local to the function create_worker_threads() until it is returned to the caller. In fact, there is a double-unlock of the mutex in case any of the goto err is invoked. Neither thd->ctrl_cond, thd->ctrl_mutex, nor thd->started are needed at all. We already clear thd->data_avail and thd->cancelled before calling pthread_create(). The logic around thd->data_mutex and thd->data_cond should suffice. I spotted also a resource leak in the error handling code path: we would fail to stop already created threads and free the memory buffer. |
| Comment by Ryan [ 2022-05-29 ] |
|
I think, your explanation is reasonable. Thank you for your quick fix! |