Attention is currently required from: osmith, pespin, lynxis lazus.

pespin uploaded patch set #3 to this change.

View Change

Fix use-after-free by tun thread after tun obj destroyed

The main thread calls pthread_cancel before freeing the tun object.
However, pthread_cancel doesn't kill the thread synchronously (man
pthread_cancel). Hence, the tun thread may still be running for a while
after the tun object is/has been(ing) freed.
Let's avoid this by making sure the thread is stopped before
freeing the object.
To accomplish it, we must wait for the thread to be cancelled. A cleanup
routie is added which will signal the "tun_released" message to the main
thread through an osmo_itq, which will then free the object (since
talloc context is managed by the main thread).

Related: SYS#5523
Change-Id: Idf005359afb41d3413b09281a9ff937d5eafcc7c
---
M daemon/daemon_vty.c
M daemon/internal.h
M daemon/main.c
M daemon/tun_device.c
4 files changed, 84 insertions(+), 15 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-uecups refs/changes/39/27739/3

To view, visit change 27739. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-uecups
Gerrit-Branch: master
Gerrit-Change-Id: Idf005359afb41d3413b09281a9ff937d5eafcc7c
Gerrit-Change-Number: 27739
Gerrit-PatchSet: 3
Gerrit-Owner: pespin <pespin@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann@sysmocom.de>
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: lynxis lazus <lynxis@fe80.eu>
Gerrit-Reviewer: osmith <osmith@sysmocom.de>
Gerrit-Attention: osmith <osmith@sysmocom.de>
Gerrit-Attention: pespin <pespin@sysmocom.de>
Gerrit-Attention: lynxis lazus <lynxis@fe80.eu>
Gerrit-MessageType: newpatchset