fiber: fix use-after-free on shutdown with lingering fiber join

On Tarantool shutdown we destroy all the fibers in some sequence. We don't require that all the fibers are finished before shutdown. So it may turn out that we first destroy some alive fiber and then destroy another alive fiber which joins the first one. Currently we have use-after-free issue in this case because clearing `link` field of the second fiber changes `wake` field of the first fiber. Close #9406 NO_DOC=bugfix

fiber: fix use-after-free on shutdown with lingering fiber join
2f7ec948 · Nikolay Shirokovskiy · Vladimir Davydov · 786eb2ac · 2f7ec948 · 2f7ec948
Commit 2f7ec948 authored 1 year ago by Nikolay Shirokovskiy Committed by Vladimir Davydov 1 year ago
--- a/changelogs/unreleased/gh-9406-fix-use-after-free-on-shutdown.md
+++ b/changelogs/unreleased/gh-9406-fix-use-after-free-on-shutdown.md
+## bugfix/core
+
+* Fixed potential use-after-free on Tarantool shutdown with lingering
+  fiber join (gh-9406).
--- a/src/lib/core/fiber.c
+++ b/src/lib/core/fiber.c
@@ -1637,6 +1637,7 @@ fiber_destroy(struct cord *cord, struct fiber *f)
 	trigger_destroy(&f->on_stop);
 	rlist_del(&f->state);
 	rlist_del(&f->link);
+	rlist_del(&f->wake);
 #ifdef ENABLE_BACKTRACE
 	region_set_callbacks(&f->gc, NULL, NULL, NULL);
 #endif
@@ -1825,6 +1826,7 @@ cord_create(struct cord *cord, const char *name)
 	/* sched fiber is not present in alive/ready/dead list. */
 	rlist_create(&cord->sched.state);
 	rlist_create(&cord->sched.link);
+	rlist_create(&cord->sched.wake);
 	cord->sched.fid = FIBER_ID_SCHED;
 	fiber_reset(&cord->sched);
 	diag_create(&cord->sched.diag);

--- a/test/app-luatest/fiber_test.lua
+++ b/test/app-luatest/fiber_test.lua
@@ -34,3 +34,26 @@ g.test_tostring = function()
    fiber.yield()
    t.assert_equals(tostring(f), "fiber: " .. fid .. " (dead)")
 end
+
+g.test_gh_9406_shutdown_with_lingering_fiber_join = function()
+    local script = [[
+        local fiber = require('fiber')
+
+        local f = nil
+        fiber.create(function()
+            while f == nil do
+                fiber.sleep(0.1)
+            end
+            fiber.join(f)
+        end)
+        f = fiber.new(function()
+            fiber.sleep(1000)
+        end)
+        f:set_joinable(true)
+        fiber.sleep(0.2)
+        os.exit()
+    ]]
+    local tarantool_bin = arg[-1]
+    local cmd = string.format('%s -e "%s"', tarantool_bin, script)
+    t.assert(os.execute(cmd) == 0)
+end