Fix: consumerd: use-after-free of metadata bucket

[lttng-tools.git] / src / common / ust-consumer / ust-consumer.c

diff --git a/src/common/ust-consumer/ust-consumer.c b/src/common/ust-consumer/ust-consumer.c
index 87ca3192775a2b4c4bedaee75e0ef661ca6e6b11..ba5f6e42211d7df37c28adf941a9e7e726713d18 100644 (file)
--- a/src/common/ust-consumer/ust-consumer.c
+++ b/src/common/ust-consumer/ust-consumer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Julien Desfossez <julien.desfossez@polymtl.ca>
+ * Copyright (C) 2011 EfficiOS Inc.
  * Copyright (C) 2011 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
  * Copyright (C) 2017 Jérémie Galarneau <jeremie.galarneau@efficios.com>
  *
@@ -10,6 +10,7 @@
 #define _LGPL_SOURCE
 #include <assert.h>
 #include <lttng/ust-ctl.h>
+#include <lttng/ust-sigbus.h>
 #include <poll.h>
 #include <pthread.h>
 #include <stdlib.h>
@@ -47,6 +48,8 @@
 extern struct lttng_consumer_global_data the_consumer_data;
 extern int consumer_poll_timeout;
 
+DEFINE_LTTNG_UST_SIGBUS_STATE();
+
 /*
  * Free channel object and all streams associated with it. This MUST be used
  * only and only if the channel has _NEVER_ been added to the global channel
@@ -65,7 +68,7 @@ static void destroy_channel(struct lttng_consumer_channel *channel)
 
                health_code_update();
 
-               cds_list_del(&stream->send_node);
+               cds_list_del_init(&stream->send_node);
                lttng_ust_ctl_destroy_stream(stream->ustream);
                lttng_trace_chunk_put(stream->trace_chunk);
                free(stream);
@@ -201,7 +204,7 @@ static int send_stream_to_thread(struct lttng_consumer_stream *stream,
         * global.
         */
        stream->globally_visible = 1;
-       cds_list_del(&stream->send_node);
+       cds_list_del_init(&stream->send_node);
 
        ret = lttng_pipe_write(stream_pipe, &stream, sizeof(stream));
        if (ret < 0) {
@@ -727,7 +730,14 @@ static int flush_channel(uint64_t chan_key)
                }
 
                if (!stream->quiescent) {
-                       lttng_ust_ctl_flush_buffer(stream->ustream, 0);
+                       ret = lttng_ust_ctl_flush_buffer(stream->ustream, 0);
+                       if (ret) {
+                               ERR("Failed to flush buffer while flushing channel: channel key = %" PRIu64 ", channel name = '%s'",
+                                               chan_key, channel->name);
+                               ret = LTTNG_ERR_BUFFER_FLUSH_FAILED;
+                               pthread_mutex_unlock(&stream->lock);
+                               goto error;
+                       }
                        stream->quiescent = true;
                }
 next:
@@ -939,7 +949,6 @@ error:
         * will make sure to clean that list.
         */
        consumer_stream_destroy(metadata->metadata_stream, NULL);
-       cds_list_del(&metadata->metadata_stream->send_node);
        metadata->metadata_stream = NULL;
 send_streams_error:
 error_no_stream:
@@ -995,7 +1004,7 @@ static int snapshot_metadata(struct lttng_consumer_channel *metadata_channel,
        metadata_stream = metadata_channel->metadata_stream;
        assert(metadata_stream);
 
-       pthread_mutex_lock(&metadata_stream->lock);
+       metadata_stream->read_subbuffer_ops.lock(metadata_stream);
        if (relayd_id != (uint64_t) -1ULL) {
                metadata_stream->net_seq_idx = relayd_id;
                ret = consumer_send_relayd_stream(metadata_stream, path);
@@ -1003,14 +1012,12 @@ static int snapshot_metadata(struct lttng_consumer_channel *metadata_channel,
                ret = consumer_stream_create_output_files(metadata_stream,
                                false);
        }
-       pthread_mutex_unlock(&metadata_stream->lock);
        if (ret < 0) {
                goto error_stream;
        }
 
        do {
                health_code_update();
-
                ret = lttng_consumer_read_subbuffer(metadata_stream, ctx, true);
                if (ret < 0) {
                        goto error_stream;
@@ -1018,12 +1025,12 @@ static int snapshot_metadata(struct lttng_consumer_channel *metadata_channel,
        } while (ret > 0);
 
 error_stream:
+       metadata_stream->read_subbuffer_ops.unlock(metadata_stream);
        /*
-        * Clean up the stream completly because the next snapshot will use a new
-        * metadata stream.
+        * Clean up the stream completely because the next snapshot will use a
+        * new metadata stream.
         */
        consumer_stream_destroy(metadata_stream, NULL);
-       cds_list_del(&metadata_stream->send_node);
        metadata_channel->metadata_stream = NULL;
 
 error:
@@ -1128,7 +1135,12 @@ static int snapshot_channel(struct lttng_consumer_channel *channel,
                 * Else, if quiescent, it has already been done by the prior stop.
                 */
                if (!stream->quiescent) {
-                       lttng_ust_ctl_flush_buffer(stream->ustream, 0);
+                       ret = lttng_ust_ctl_flush_buffer(stream->ustream, 0);
+                       if (ret < 0) {
+                               ERR("Failed to flush buffer during snapshot of channel: channel key = %" PRIu64 ", channel name = '%s'",
+                                               channel->key, channel->name);
+                               goto error_unlock;
+                       }
                }
 
                ret = lttng_ustconsumer_take_snapshot(stream);
@@ -1309,10 +1321,21 @@ int lttng_ustconsumer_recv_metadata(int sock, uint64_t key, uint64_t offset,
                 * metadata position to ensure the metadata poll thread consumes
                 * the whole cache.
                 */
-               pthread_mutex_lock(&channel->metadata_stream->lock);
-               metadata_stream_reset_cache_consumed_position(
-                               channel->metadata_stream);
-               pthread_mutex_unlock(&channel->metadata_stream->lock);
+
+               /*
+                * channel::metadata_stream can be null when the metadata
+                * channel is under a snapshot session type. No need to update
+                * the stream position in that scenario.
+                */
+               if (channel->metadata_stream != NULL) {
+                       pthread_mutex_lock(&channel->metadata_stream->lock);
+                       metadata_stream_reset_cache_consumed_position(
+                                       channel->metadata_stream);
+                       pthread_mutex_unlock(&channel->metadata_stream->lock);
+               } else {
+                       /* Validate we are in snapshot mode. */
+                       assert(!channel->monitor);
+               }
                /* Fall-through. */
        case CONSUMER_METADATA_CACHE_WRITE_STATUS_APPENDED_CONTENT:
                /*
@@ -1403,11 +1426,18 @@ int lttng_ustconsumer_recv_cmd(struct lttng_consumer_local_data *ctx,
        switch (msg.cmd_type) {
        case LTTNG_CONSUMER_ADD_RELAYD_SOCKET:
        {
+               uint32_t major = msg.u.relayd_sock.major;
+               uint32_t minor = msg.u.relayd_sock.minor;
+               enum lttcomm_sock_proto protocol =
+                               (enum lttcomm_sock_proto) msg.u.relayd_sock
+                                               .relayd_socket_protocol;
+
                /* Session daemon status message are handled in the following call. */
                consumer_add_relayd_socket(msg.u.relayd_sock.net_index,
-                               msg.u.relayd_sock.type, ctx, sock, consumer_sockpoll,
-                               &msg.u.relayd_sock.sock, msg.u.relayd_sock.session_id,
-                               msg.u.relayd_sock.relayd_session_id);
+                               msg.u.relayd_sock.type, ctx, sock,
+                               consumer_sockpoll, msg.u.relayd_sock.session_id,
+                               msg.u.relayd_sock.relayd_session_id, major,
+                               minor, protocol);
                goto end_nosignal;
        }
        case LTTNG_CONSUMER_DESTROY_RELAYD:
@@ -2314,13 +2344,13 @@ end:
        return ret_func;
 }
 
-void lttng_ust_flush_buffer(
-               struct lttng_consumer_stream *stream, int producer_active)
+int lttng_ust_flush_buffer(struct lttng_consumer_stream *stream,
+               int producer_active)
 {
        assert(stream);
        assert(stream->ustream);
 
-       lttng_ust_ctl_flush_buffer(stream->ustream, producer_active);
+       return lttng_ust_ctl_flush_buffer(stream->ustream, producer_active);
 }
 
 /*
@@ -2380,21 +2410,21 @@ int lttng_ustconsumer_get_consumed_snapshot(
        return lttng_ust_ctl_snapshot_get_consumed(stream->ustream, pos);
 }
 
-void lttng_ustconsumer_flush_buffer(struct lttng_consumer_stream *stream,
+int lttng_ustconsumer_flush_buffer(struct lttng_consumer_stream *stream,
                int producer)
 {
        assert(stream);
        assert(stream->ustream);
 
-       lttng_ust_ctl_flush_buffer(stream->ustream, producer);
+       return lttng_ust_ctl_flush_buffer(stream->ustream, producer);
 }
 
-void lttng_ustconsumer_clear_buffer(struct lttng_consumer_stream *stream)
+int lttng_ustconsumer_clear_buffer(struct lttng_consumer_stream *stream)
 {
        assert(stream);
        assert(stream->ustream);
 
-       lttng_ust_ctl_clear_buffer(stream->ustream);
+       return lttng_ust_ctl_clear_buffer(stream->ustream);
 }
 
 int lttng_ustconsumer_get_current_timestamp(
@@ -2427,8 +2457,11 @@ void lttng_ustconsumer_on_stream_hangup(struct lttng_consumer_stream *stream)
 
        pthread_mutex_lock(&stream->lock);
        if (!stream->quiescent) {
-               lttng_ust_ctl_flush_buffer(stream->ustream, 0);
-               stream->quiescent = true;
+               if (lttng_ust_ctl_flush_buffer(stream->ustream, 0) < 0) {
+                       ERR("Failed to flush buffer on stream hang-up");
+               } else {
+                       stream->quiescent = true;
+               }
        }
        pthread_mutex_unlock(&stream->lock);
        stream->hangup_flush_done = 1;
@@ -2589,8 +2622,12 @@ int commit_one_metadata_packet(struct lttng_consumer_stream *stream)
         * a metadata packet. Since the subbuffer is fully filled (with padding,
         * if needed), the stream is "quiescent" after this commit.
         */
-       lttng_ust_ctl_flush_buffer(stream->ustream, 1);
-       stream->quiescent = true;
+       if (lttng_ust_ctl_flush_buffer(stream->ustream, 1)) {
+               ERR("Failed to flush buffer while commiting one metadata packet");
+               ret = -EIO;
+       } else {
+               stream->quiescent = true;
+       }
 end:
        pthread_mutex_unlock(&stream->chan->metadata_cache->lock);
        return ret;
@@ -3410,3 +3447,8 @@ int lttng_ustconsumer_get_stream_id(struct lttng_consumer_stream *stream,
 
        return lttng_ust_ctl_get_stream_id(stream->ustream, stream_id);
 }
+
+void lttng_ustconsumer_sigbus_handle(void *addr)
+{
+       lttng_ust_ctl_sigbus_handle(addr);
+}