Merged revisions 260345 via svnmerge from
authorMark Michelson <mmichelson@digium.com>
Fri, 30 Apr 2010 20:11:02 +0000 (20:11 +0000)
committerMark Michelson <mmichelson@digium.com>
Fri, 30 Apr 2010 20:11:02 +0000 (20:11 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
  r260345 | mmichelson | 2010-04-30 15:08:15 -0500 (Fri, 30 Apr 2010) | 18 lines

  Fix potential crash from race condition due to accessing channel data without the channel locked.

  In res_musiconhold.c, there are several places where a channel's
  stream's existence is checked prior to calling ast_closestream on it. The issue
  here is that in several cases, the channel was not locked while checking the
  stream. The result was that if two threads checked the state of the channel's
  stream at approximately the same time, then there could be a situation where
  both threads attempt to call ast_closestream on the channel's stream. The result
  here is that the refcount for the stream would go below 0, resulting in a crash.

  I have added proper channel locking to res_musiconhold.c to ensure that
  we do not try to check chan->stream without the channel locked. A Digium customer
  has been using this patch for several weeks and has not had any crashes since
  applying the patch.

  ABE-2147
........

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@260346 65c4cc65-6c06-0410-ace0-fbb531ad65f3

res/res_musiconhold.c

index 676b018..4d2c9ec 100644 (file)
@@ -355,7 +355,15 @@ static int moh_files_generator(struct ast_channel *chan, void *data, int len, in
        state->sample_queue += samples;
 
        while (state->sample_queue > 0) {
+               ast_channel_lock(chan);
                if ((f = moh_files_readframe(chan))) {
+                       /* We need to be sure that we unlock
+                        * the channel prior to calling
+                        * ast_write. Otherwise, the recursive locking
+                        * that occurs can cause deadlocks when using
+                        * indirect channels, like local channels
+                        */
+                       ast_channel_unlock(chan);
                        state->samples += f->samples;
                        state->sample_queue -= f->samples;
                        res = ast_write(chan, f);
@@ -364,8 +372,10 @@ static int moh_files_generator(struct ast_channel *chan, void *data, int len, in
                                ast_log(LOG_WARNING, "Failed to write frame to '%s': %s\n", chan->name, strerror(errno));
                                return -1;
                        }
-               } else
+               } else {
+                       ast_channel_unlock(chan);
                        return -1;      
+               }
        }
        return res;
 }
@@ -1460,11 +1470,11 @@ static int local_ast_moh_start(struct ast_channel *chan, const char *mclass, con
 
 static void local_ast_moh_stop(struct ast_channel *chan)
 {
-       struct moh_files_state *state = chan->music_state;
        ast_clear_flag(chan, AST_FLAG_MOH);
        ast_deactivate_generator(chan);
 
-       if (state) {
+       ast_channel_lock(chan);
+       if (chan->music_state) {
                if (chan->stream) {
                        ast_closestream(chan->stream);
                        chan->stream = NULL;
@@ -1476,6 +1486,7 @@ static void local_ast_moh_stop(struct ast_channel *chan)
                "Channel: %s\r\n"
                "UniqueID: %s\r\n",
                chan->name, chan->uniqueid);
+       ast_channel_unlock(chan);
 }
 
 static void moh_class_destructor(void *obj)