Inactive incorrectly incremented

It is possible to have two threads destroying an rbtdb at the same
time when detachnode() executes and removes the last reference to
a node between exiting being set to true for the node and testing
if the references are zero in maybe_free_rbtdb().  Move NODE_UNLOCK()
to after checking if references is zero to prevent detachnode()
changing the reference count too early.

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 6aa4bc1f3887bc18dbe275215020fabd7d83cb49..b9a46cea403f07321b0c75d587e4174c1484d686 100644 (file)
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1256,11 +1256,11 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
        for (i = 0; i < rbtdb->node_lock_count; i++) {
                NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
                rbtdb->node_locks[i].exiting = true;
-               NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
                if (isc_refcount_current(&rbtdb->node_locks[i].references) == 0)
                {
                        inactive++;
                }
+               NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
        }
 
        if (inactive != 0) {