fix: usr: Fix race condition when canceling ADB find

When canceling the ADB find, the lock on the find gets released for a brief period of time to be locked again inside adbname lock. During the brief period that the ADB find is unlocked, it can get canceled by other means removing it from the adbname list which in turn causes assertion failure due to a double removal from the adbname list. This has been fixed. Closes #5024 Merge branch '5024-fix-crash-in-dns_adb_cancelfind' into 'main' See merge request isc-projects/bind9!9722
2025-08-31 06:25:31 +00:00 · 2024-11-13 07:49:05 +00:00
parent 39d32e525f 128e50e1ff
commit 75f1587aed
1 changed files with 14 additions and 2 deletions
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -2314,17 +2314,29 @@ dns_adb_cancelfind(dns_adbfind_t *find) {
 		 * locks in that order, to match locking hierarchy
 		 * elsewhere.
 		 */
+		dns_adbname_ref(adbname);
 		UNLOCK(&find->lock);
+
+		/*
+		 * Other thread could cancel the find between the unlock and
+		 * lock, so we need to recheck whether the adbname is still
+		 * valid and reference the adbname, so it does not vanish before
+		 * we have a chance to lock it again.
+		 */
+
 		LOCK(&adbname->lock);
 		LOCK(&find->lock);

-		ISC_LIST_UNLINK(adbname->finds, find, plink);
-		find->adbname = NULL;
+		if (find->adbname != NULL) {
+			ISC_LIST_UNLINK(find->adbname->finds, find, plink);
+			find->adbname = NULL;
+		}

 		find_sendevent(find);

 		UNLOCK(&find->lock);
 		UNLOCK(&adbname->lock);
+		dns_adbname_detach(&adbname);
 	}
 }