From: John Cai <johncai86@xxxxxxxxx> In the tmp-objdir api, tmp_objdir_create will create a temporary directory but also register signal handlers responsible for removing the directory's contents and the directory itself. However, the function responsible for recursively removing the contents and directory, remove_dir_recurse() calls opendir(3) and closedir(3). This can be problematic because these functions allocate and free memory, which are not async-signal-safe functions. This can lead to deadlocks. One place we call tmp_objdir_create() is in git-receive-pack, where we create a temporary quarantine directory "incoming". Incoming objects will be written to this directory before they get moved to the object directory. We have observed this code leading to a deadlock: Thread 1 (Thread 0x7f621ba0b200 (LWP 326305)): #0 __lll_lock_wait_private (futex=futex@entry=0x7f621bbf8b80 <main_arena>) at ./lowlevellock.c:35 #1 0x00007f621baa635b in __GI___libc_malloc (bytes=bytes@entry=32816) at malloc.c:3064 #2 0x00007f621bae9f49 in __alloc_dir (statp=0x7fff2ea7ed60, flags=0, close_fd=true, fd=5) at ../sysdeps/posix/opendir.c:118 #3 opendir_tail (fd=5) at ../sysdeps/posix/opendir.c:69 #4 __opendir (name=<optimized out>) at ../sysdeps/posix/opendir.c:92 #5 0x0000557c19c77de1 in remove_dir_recurse () #6 0x0000557c19d81a4f in remove_tmp_objdir_on_signal () #7 <signal handler called> #8 _int_malloc (av=av@entry=0x7f621bbf8b80 <main_arena>, bytes=bytes@entry=7160) at malloc.c:4116 #9 0x00007f621baa62c9 in __GI___libc_malloc (bytes=7160) at malloc.c:3066 #10 0x00007f621bd1e987 in inflateInit2_ () from /opt/gitlab/embedded/lib/libz.so.1 #11 0x0000557c19dbe5f4 in git_inflate_init () #12 0x0000557c19cee02a in unpack_compressed_entry () #13 0x0000557c19cf08cb in unpack_entry () #14 0x0000557c19cf0f32 in packed_object_info () #15 0x0000557c19cd68cd in do_oid_object_info_extended () #16 0x0000557c19cd6e2b in read_object_file_extended () #17 0x0000557c19cdec2f in parse_object () #18 0x0000557c19c34977 in lookup_commit_reference_gently () #19 0x0000557c19d69309 in mark_uninteresting () #20 0x0000557c19d2d180 in do_for_each_repo_ref_iterator () #21 0x0000557c19d21678 in for_each_ref () #22 0x0000557c19d6a94f in assign_shallow_commits_to_refs () #23 0x0000557c19bc02b2 in cmd_receive_pack () #24 0x0000557c19b29fdd in handle_builtin () #25 0x0000557c19b2a526 in cmd_main () #26 0x0000557c19b28ea2 in main () To prevent this, add a flag REMOVE_DIR_SIGNAL that allows remove_dir_recurse() to know that a signal is being handled and avoid calling opendir(3). One implication of this change is that when signal handling, the temporary directory may not get cleaned up properly. Signed-off-by: John Cai <johncai86@xxxxxxxxx> --- tmp-objdir: do not closedir() when handling a signal We have recently observed a Git process hanging around for weeks. A backtrace revealed that a git-receive-pack(1) process was deadlocked when trying to remove the quarantine directory "incoming." It turns out that the tmp_objdir API calls opendir(3) and closedir(3) to observe a directory's contents in order to remove all the contents before removing the directory itself. These functions are not async signal save as they allocate and free memory. The fix is to avoid calling these functions when handling a signal in order to avoid a deadlock. The implication of such a fix however, is that temporary object directories may not get cleaned up properly when a signal is being handled. The tradeoff this fix is making is to prevent deadlocks at the cost of temporary object directory cleanup. This is similar to 58d4d7f1c5 (2022-01-07 fetch: fix deadlock when cleaning up lockfiles in async signals) Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1348%2Fjohn-cai%2Fjc%2Ffix-tmp-objdir-signal-handling-v1 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1348/john-cai/jc/fix-tmp-objdir-signal-handling-v1 Pull-Request: https://github.com/git/git/pull/1348 dir.c | 7 +++++-- dir.h | 3 +++ tmp-objdir.c | 7 ++++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/dir.c b/dir.c index 75429508200..a3183cb043f 100644 --- a/dir.c +++ b/dir.c @@ -3244,7 +3244,7 @@ void strip_dir_trailing_slashes(char *dir) static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up) { - DIR *dir; + DIR *dir = NULL; struct dirent *e; int ret = 0, original_len = path->len, len, kept_down = 0; int only_empty = (flag & REMOVE_DIR_EMPTY_ONLY); @@ -3261,7 +3261,10 @@ static int remove_dir_recurse(struct strbuf *path, int flag, int *kept_up) } flag &= ~REMOVE_DIR_KEEP_TOPLEVEL; - dir = opendir(path->buf); + + if ((flag & REMOVE_DIR_SIGNAL) == 0) + dir = opendir(path->buf); + if (!dir) { if (errno == ENOENT) return keep_toplevel ? -1 : 0; diff --git a/dir.h b/dir.h index 674747d93af..ba159f4abeb 100644 --- a/dir.h +++ b/dir.h @@ -498,6 +498,9 @@ int get_sparse_checkout_patterns(struct pattern_list *pl); /* Remove the_original_cwd too */ #define REMOVE_DIR_PURGE_ORIGINAL_CWD 0x08 +/* Indicates a signal is being handled */ +#define REMOVE_DIR_SIGNAL 0x16 + /* * Remove path and its contents, recursively. flags is a combination * of the above REMOVE_DIR_* constants. Return 0 on success. diff --git a/tmp-objdir.c b/tmp-objdir.c index adf6033549e..13943098738 100644 --- a/tmp-objdir.c +++ b/tmp-objdir.c @@ -34,6 +34,7 @@ static void tmp_objdir_free(struct tmp_objdir *t) static int tmp_objdir_destroy_1(struct tmp_objdir *t, int on_signal) { int err; + int flags = 0; if (!t) return 0; @@ -49,7 +50,11 @@ static int tmp_objdir_destroy_1(struct tmp_objdir *t, int on_signal) * have pre-grown t->path sufficiently so that this * doesn't happen in practice. */ - err = remove_dir_recursively(&t->path, 0); + + if (on_signal) + flags = flags | REMOVE_DIR_SIGNAL; + + err = remove_dir_recursively(&t->path, flags); /* * When we are cleaning up due to a signal, we won't bother base-commit: 4fd6c5e44459e6444c2cd93383660134c95aabd1 -- gitgitgadget