From 7068d03e02a795bd35036080a4f9f1951ba432b2 Mon Sep 17 00:00:00 2001 From: Anton Eidelman Date: Mon, 9 Dec 2024 18:20:01 -0700 Subject: [PATCH] reactor: fix crash in pending registration task after poller dtor A poller destructor that finds the poller still has a registration task cancels it (sets _p = nullptr), however the task remains on the task queue. The original commit (below) introduced deleting such registration task object right in ~poller(). Which means the reactor will pick this task from the task queue while the contents is stale: use after free. If we're lucky, _p will still read as nullptr, but otherwise run_and_dispose() will likely segfault. Fix: Removed deleting _registration_task: run_and_dispose() will do it. Fixes: bcb5cf3a8dca19be0e577ee4e3bcd246f949dce6 Signed-off-by: Anton Eidelman Closes scylladb/seastar#2571 --- src/core/reactor.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/src/core/reactor.cc b/src/core/reactor.cc index faa96864f31..627ef8fe2a0 100644 --- a/src/core/reactor.cc +++ b/src/core/reactor.cc @@ -3445,7 +3445,6 @@ poller::~poller() { if (_registration_task) { // not added yet, so don't do it at all. _registration_task->cancel(); - delete _registration_task; } else if (!engine()._finished_running_tasks) { // If _finished_running_tasks, the call to add_task() below will just // leak it, since no one will call task::run_and_dispose(). Just leave