DBusCounter: add a mutex to protect the refcount and notify function

The overall problem here is that DBusCounter is indirectly linked to a DBusConnection, but is not actually guaranteed to be protected by that connection's mutex; and a DBusMessage can carry a reference to the DBusCounter, resulting in freeing that DBusMessage having an effect on the DBusCounter. Making the refcount atomic would not be a sufficient fix, since it would not protect the notify function: _dbus_counter_notify() could be called indirectly by dbus_message_unref(), in an arbitrary thread that does not hold the DBusConnection's lock, at the same time that the holder of the DBusConnection lock calls _dbus_transport_set_max_message_size(). [smcv: added commit message] Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89297 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
author: Adrian Szyndela <adrian.s@samsung.com> 2015-05-05 12:30:30 +0100
committer: Simon McVittie <simon.mcvittie@collabora.co.uk> 2015-05-05 12:30:30 +0100
commit: bbef8e40383efd84972e6346b3f37b553531e191 (patch)
tree: 9811a95696231c2da3e1116a36ccd081f78bbf8d
parent: bebe9ca9937a5e44147c8fc0160f04d39573d110 (diff)
download: dbus-bbef8e40383efd84972e6346b3f37b553531e191.tar.gz
1 files changed, 47 insertions, 5 deletions
diff --git a/dbus/dbus-resources.c b/dbus/dbus-resources.c
index 80fb55b2..0617eae2 100644
--- a/dbus/dbus-resources.c
+++ b/dbus/dbus-resources.c
@@ -69,6 +69,7 @@ struct DBusCounter
   DBusCounterNotifyFunction notify_function; /**< notify function */
   void *notify_data; /**< data for notify function */
   dbus_bool_t notify_pending : 1; /**< TRUE if the guard value has been crossed */
+  DBusRMutex *mutex;    /**< Lock on the entire DBusCounter */
 };
 
 /** @} */  /* end of resource limits internals docs */
@@ -95,6 +96,13 @@ _dbus_counter_new (void)
 
   counter->refcount = 1;
 
+  _dbus_rmutex_new_at_location (&counter->mutex);
+  if (counter->mutex == NULL)
+  {
+    dbus_free (counter);
+    counter = NULL;
+  }
+
   return counter;
 }
 
@@ -107,10 +115,14 @@ _dbus_counter_new (void)
 DBusCounter *
 _dbus_counter_ref (DBusCounter *counter)
 {
+  _dbus_rmutex_lock (counter->mutex);
+
   _dbus_assert (counter->refcount > 0);
   
   counter->refcount += 1;
 
+  _dbus_rmutex_unlock (counter->mutex);
+
   return counter;
 }
 
@@ -123,13 +135,20 @@ _dbus_counter_ref (DBusCounter *counter)
 void
 _dbus_counter_unref (DBusCounter *counter)
 {
+  dbus_bool_t last_ref = FALSE;
+
+  _dbus_rmutex_lock (counter->mutex);
+
   _dbus_assert (counter->refcount > 0);
 
   counter->refcount -= 1;
+  last_ref = (counter->refcount == 0);
+
+  _dbus_rmutex_unlock (counter->mutex);
 
-  if (counter->refcount == 0)
+  if (last_ref)
     {
-      
+      _dbus_rmutex_free_at_location (&counter->mutex);
       dbus_free (counter);
     }
 }
@@ -148,7 +167,11 @@ void
 _dbus_counter_adjust_size (DBusCounter *counter,
                            long         delta)
 {
-  long old = counter->size_value;
+  long old = 0;
+
+  _dbus_rmutex_lock (counter->mutex);
+
+  old = counter->size_value;
 
   counter->size_value += delta;
 
@@ -168,6 +191,8 @@ _dbus_counter_adjust_size (DBusCounter *counter,
        (old >= counter->notify_size_guard_value &&
         counter->size_value < counter->notify_size_guard_value)))
     counter->notify_pending = TRUE;
+
+  _dbus_rmutex_unlock (counter->mutex);
 }
 
 /**
@@ -181,11 +206,20 @@ _dbus_counter_adjust_size (DBusCounter *counter,
 void
 _dbus_counter_notify (DBusCounter *counter)
 {
+  DBusCounterNotifyFunction notify_function = NULL;
+  void *notify_data = NULL;
+
+  _dbus_rmutex_lock (counter->mutex);
   if (counter->notify_pending)
     {
       counter->notify_pending = FALSE;
-      (* counter->notify_function) (counter, counter->notify_data);
+      notify_function = counter->notify_function;
+      notify_data = counter->notify_data;
     }
+  _dbus_rmutex_unlock (counter->mutex);
+
+  if (notify_function != NULL)
+    (* notify_function) (counter, notify_data);
 }
 
 /**
@@ -202,7 +236,11 @@ void
 _dbus_counter_adjust_unix_fd (DBusCounter *counter,
                               long         delta)
 {
-  long old = counter->unix_fd_value;
+  long old = 0;
+
+  _dbus_rmutex_lock (counter->mutex);
+
+  old = counter->unix_fd_value;
   
   counter->unix_fd_value += delta;
 
@@ -222,6 +260,8 @@ _dbus_counter_adjust_unix_fd (DBusCounter *counter,
        (old >= counter->notify_unix_fd_guard_value &&
         counter->unix_fd_value < counter->notify_unix_fd_guard_value)))
     counter->notify_pending = TRUE;
+
+  _dbus_rmutex_unlock (counter->mutex);
 }
 
 /**
@@ -266,11 +306,13 @@ _dbus_counter_set_notify (DBusCounter               *counter,
                           DBusCounterNotifyFunction  function,
                           void                      *user_data)
 {
+  _dbus_rmutex_lock (counter->mutex);
   counter->notify_size_guard_value = size_guard_value;
   counter->notify_unix_fd_guard_value = unix_fd_guard_value;
   counter->notify_function = function;
   counter->notify_data = user_data;
   counter->notify_pending = FALSE;
+  _dbus_rmutex_unlock (counter->mutex);
 }
 
 #ifdef DBUS_ENABLE_STATS
author	Adrian Szyndela <adrian.s@samsung.com>	2015-05-05 12:30:30 +0100
committer	Simon McVittie <simon.mcvittie@collabora.co.uk>	2015-05-05 12:30:30 +0100
commit	bbef8e40383efd84972e6346b3f37b553531e191 (patch)
tree	9811a95696231c2da3e1116a36ccd081f78bbf8d
parent	bebe9ca9937a5e44147c8fc0160f04d39573d110 (diff)
download	dbus-bbef8e40383efd84972e6346b3f37b553531e191.tar.gz