From: Matthew Nicholson Date: Thu, 17 Sep 2009 14:58:39 +0000 (+0000) Subject: Prevent a potential race condition and crash when hanging up a channel by removing... X-Git-Tag: 1.4.27-rc1~2^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea3f81a68f9f8296df264ff5bbefa89869c7aa78;p=thirdparty%2Fasterisk.git Prevent a potential race condition and crash when hanging up a channel by removing the channel from the channel list before begining channel tear down. This fix may potentially cause problems with CDR backends that access the channel a CDR is associated with via the channel list. This fix makes the channel unavabile at the time when the CDR backend is invoked. This has been documented in include/asterisk/cdr.h. (closes issue #15316) Reported by: vmarrone Tested by: mnicholson Review: https://reviewboard.asterisk.org/r/362/ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@219136 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/include/asterisk/cdr.h b/include/asterisk/cdr.h index 3d576b712b..738292e983 100644 --- a/include/asterisk/cdr.h +++ b/include/asterisk/cdr.h @@ -112,6 +112,11 @@ int ast_cdr_serialize_variables(struct ast_cdr *cdr, char *buf, size_t size, cha void ast_cdr_free_vars(struct ast_cdr *cdr, int recur); int ast_cdr_copy_vars(struct ast_cdr *to_cdr, struct ast_cdr *from_cdr); +/*!\brief CDR backend callback + * \warning CDR backends should NOT attempt to access the channel associated + * with a CDR record. This channel is not guaranteed to exist when the CDR + * backend is invoked. + */ typedef int (*ast_cdrbe)(struct ast_cdr *cdr); /*! \brief Allocate a CDR record diff --git a/include/asterisk/channel.h b/include/asterisk/channel.h index 92c86fca5e..2a835c96c9 100644 --- a/include/asterisk/channel.h +++ b/include/asterisk/channel.h @@ -515,6 +515,8 @@ enum { * bridge terminates, this will allow the hangup in the pbx loop to be run instead. * */ AST_FLAG_BRIDGE_HANGUP_DONT = (1 << 17), + /*! This flag indicates whether the channel is in the channel list or not. */ + AST_FLAG_IN_CHANNEL_LIST = (1 << 19), }; /*! \brief ast_bridge_config flags */ diff --git a/main/channel.c b/main/channel.c index db4fd62c8d..a674e0a16b 100644 --- a/main/channel.c +++ b/main/channel.c @@ -868,6 +868,8 @@ alertpipe_failed: tmp->tech = &null_tech; + ast_set_flag(tmp, AST_FLAG_IN_CHANNEL_LIST); + AST_LIST_LOCK(&channels); AST_LIST_INSERT_HEAD(&channels, tmp, chan_list); AST_LIST_UNLOCK(&channels); @@ -1247,17 +1249,22 @@ void ast_channel_free(struct ast_channel *chan) struct varshead *headp; struct ast_datastore *datastore = NULL; char name[AST_CHANNEL_NAME], *dashptr; + int inlist; headp=&chan->varshead; - AST_LIST_LOCK(&channels); - if (!AST_LIST_REMOVE(&channels, chan, chan_list)) { - ast_log(LOG_ERROR, "Unable to find channel in list to free. Assuming it has already been done.\n"); + inlist = ast_test_flag(chan, AST_FLAG_IN_CHANNEL_LIST); + if (inlist) { + AST_LIST_LOCK(&channels); + if (!AST_LIST_REMOVE(&channels, chan, chan_list)) { + if (option_debug) + ast_log(LOG_DEBUG, "Unable to find channel in list to free. Assuming it has already been done.\n"); + } + /* Lock and unlock the channel just to be sure nobody has it locked still + due to a reference retrieved from the channel list. */ + ast_channel_lock(chan); + ast_channel_unlock(chan); } - /* Lock and unlock the channel just to be sure nobody has it locked still - due to a reference retrieved from the channel list. */ - ast_channel_lock(chan); - ast_channel_unlock(chan); /* Get rid of each of the data stores on the channel */ while ((datastore = AST_LIST_REMOVE_HEAD(&chan->datastores, entry))) @@ -1328,7 +1335,8 @@ void ast_channel_free(struct ast_channel *chan) ast_string_field_free_memory(chan); free(chan); - AST_LIST_UNLOCK(&channels); + if (inlist) + AST_LIST_UNLOCK(&channels); ast_device_state_changed_literal(name); } @@ -1515,6 +1523,16 @@ int ast_hangup(struct ast_channel *chan) ast_channel_unlock(chan); return 0; } + ast_channel_unlock(chan); + + AST_LIST_LOCK(&channels); + if (!AST_LIST_REMOVE(&channels, chan, chan_list)) { + ast_log(LOG_ERROR, "Unable to find channel in list to free. Assuming it has already been done.\n"); + } + ast_clear_flag(chan, AST_FLAG_IN_CHANNEL_LIST); + AST_LIST_UNLOCK(&channels); + + ast_channel_lock(chan); free_translation(chan); /* Close audio stream */ if (chan->stream) {