Use-after-free and heap-size-mismatch fix.

1. Removed redundant header dependencies to allow building vlogger and state_machine independently from the rest of the code.
2. Fixed logic of set log color output parameter.
3. Rewrote the functions read_file_to_int (src/vma/util/utils.cpp) and env_to_cpuset (src/vma/util/sys_vars.cpp) to enable running the code with ASAN.
4. Fixed a new/delete size mismatch in src/vma/dev/rfs*.
5. Fixed a use-after-free issue in timer_handler.

Author: strike-kokhotnikov

src/stats/stats_printer.cpp

@@ -11,8 +11,7 @@
 #include "vma/util/utils.h"
 #include "vma/util/vma_stats.h"
 #include "vma/lwip/tcp.h"
-#include "vma/vma_extra.h"
-#include "vma/util/sys_vars.h"
+#include "vma/util/vtypes.h"
 
 typedef enum {
 	e_K = 1024,

src/stats/stats_publisher.cpp

@@ -102,7 +102,7 @@ void stats_data_reader::handle_timer_expired(void *ctx)
 
 void stats_data_reader::register_to_timer()
 {
-	m_timer_handler = g_p_event_handler_manager->register_timer_event(STATS_PUBLISHER_TIMER_PERIOD, g_p_stats_data_reader, PERIODIC_TIMER, 0);
+	m_timer_handler = g_p_event_handler_manager->register_timer_event(STATS_PUBLISHER_TIMER_PERIOD, this, PERIODIC_TIMER, 0);
 }
 
 void stats_data_reader::add_data_reader(void* local_addr, void* shm_addr, int size)
@@ -150,6 +150,8 @@ void vma_shmem_stats_open(vlog_levels_t** p_p_vma_log_level, uint8_t** p_p_vma_l
 	}
 	BULLSEYE_EXCLUDE_BLOCK_END
 
+	vlog_printf(VLOG_DEBUG,"%s:%d: Allocated g_p_stats_data_reader pointer as '%p'\n", __func__, __LINE__, g_p_stats_data_reader);
+
 	shmem_size = SHMEM_STATS_SIZE(safe_mce_sys().stats_fd_num_max);
 	buf = malloc(shmem_size);
 	if (buf == NULL)
@@ -277,8 +279,12 @@ void vma_shmem_stats_close()
 	g_sh_mem = NULL;
 	g_p_vlogger_level = NULL;
 	g_p_vlogger_details = NULL;
-	delete g_p_stats_data_reader;
-	g_p_stats_data_reader = NULL;
+	if (g_p_stats_data_reader != NULL) {
+		stats_data_reader* p = g_p_stats_data_reader;
+		g_p_stats_data_reader = NULL;
+		p->set_destroying_state(true);
+		delete p;
+	}
 }
 
 void vma_stats_instance_create_socket_block(socket_stats_t* local_stats_addr)

src/stats/stats_reader.cpp

@@ -15,9 +15,9 @@
 #include <fcntl.h>
 #include <errno.h>
 #include <list>
+#include <netinet/in.h>
 #include <signal.h>
-#include <getopt.h>		/* getopt()*/
-#include <errno.h>
+#include <getopt.h> /* getopt()*/
 #include <dirent.h>
 #include <string.h>
 #include <vector>

src/vlogger/vlogger.cpp

@@ -17,8 +17,6 @@
 #include <fcntl.h>
 
 #include "utils/bullseye.h"
-#include "vma/util/utils.h"
-#include "vma/util/sys_vars.h"
 
 #define VLOG_DEFAULT_MODULE_NAME "VMA"
 #define VMA_LOG_CB_ENV_VAR "VMA_LOG_CB_FUNC_PTR"
@@ -31,7 +29,7 @@ vlog_levels_t* g_p_vlogger_level = NULL;
 uint8_t      g_vlogger_details = 0;
 uint8_t*     g_p_vlogger_details = NULL;
 uint32_t     g_vlogger_usec_on_startup = 0;
-bool         g_vlogger_log_in_colors = MCE_DEFAULT_LOG_COLORS;
+bool g_vlogger_log_in_colors = false;
 vma_log_cb_t g_vlogger_cb = NULL;
 
 namespace log_level

src/vma/dev/rfs.cpp

@@ -120,7 +120,7 @@ rfs::~rfs()
 	delete[] m_sinks_list;
 
 	while (m_attach_flow_data_vector.size() > 0) {
-		delete m_attach_flow_data_vector.back();
+		free(m_attach_flow_data_vector.back());
 		m_attach_flow_data_vector.pop_back();
 	}
 }

src/vma/dev/rfs.h

@@ -8,6 +8,8 @@
 #ifndef RFS_H
 #define RFS_H
 
+#include <stdlib.h>
+#include <type_traits>
 #include <vector>
 
 #include "vma/ib/base/verbs_extra.h"
@@ -213,6 +215,13 @@ class rfs
 	virtual bool 		rx_dispatch_packet(mem_buf_desc_t* p_rx_wc_buf_desc, void* pv_fd_ready_array) = 0;
 
 protected:
+        template <class T, typename ...Args>
+        T * new_malloc(Args ... args) {
+		static_assert(std::is_trivially_destructible<T>::value == true);
+		void * p = aligned_alloc(alignof(T), sizeof(T));
+		return new(p) T(args...);
+        }
+
 	flow_tuple		m_flow_tuple;
 	ring_slave*		m_p_ring;
 	rfs_rule_filter*	m_p_rule_filter;

src/vma/dev/rfs_mc.cpp

@@ -56,7 +56,7 @@ bool rfs_mc::prepare_flow_spec()
 #ifdef DEFINED_IBV_FLOW_SPEC_IB
 				attach_flow_data_ib_v1_t*  attach_flow_data_ib_v1 = NULL;
 
-				attach_flow_data_ib_v1 = new attach_flow_data_ib_v1_t(p_ring->m_p_qp_mgr);
+				attach_flow_data_ib_v1 = new_malloc<attach_flow_data_ib_v1_t>(p_ring->m_p_qp_mgr);
 
 				uint8_t dst_gid[16];
 				create_mgid_from_ipv4_mc_ip(dst_gid, p_ring->m_p_qp_mgr->get_partiton(), m_flow_tuple.get_dst_ip());
@@ -70,7 +70,7 @@ bool rfs_mc::prepare_flow_spec()
 #endif
 			}
 
-			attach_flow_data_ib_v2 = new attach_flow_data_ib_v2_t(p_ring->m_p_qp_mgr);
+			attach_flow_data_ib_v2 = new_malloc<attach_flow_data_ib_v2_t>(p_ring->m_p_qp_mgr);
 
 			ibv_flow_spec_ipv4_set(&(attach_flow_data_ib_v2->ibv_flow_attr.ipv4),
 						m_flow_tuple.get_dst_ip(),
@@ -88,7 +88,7 @@ bool rfs_mc::prepare_flow_spec()
 			{
 			attach_flow_data_eth_ipv4_tcp_udp_t*  attach_flow_data_eth = NULL;
 
-			attach_flow_data_eth = new attach_flow_data_eth_ipv4_tcp_udp_t(p_ring->m_p_qp_mgr);
+			attach_flow_data_eth = new_malloc<attach_flow_data_eth_ipv4_tcp_udp_t>(p_ring->m_p_qp_mgr);
 
 			uint8_t dst_mac[6];
 			create_multicast_mac_from_ip(dst_mac, m_flow_tuple.get_dst_ip());

src/vma/dev/rfs_uc.cpp

@@ -59,7 +59,7 @@ bool rfs_uc::prepare_flow_spec()
 			if (0 == p_ring->m_p_qp_mgr->get_underly_qpn()) {
 				attach_flow_data_ib_ipv4_tcp_udp_v1_t* attach_flow_data_ib_v1 = NULL;
 
-				attach_flow_data_ib_v1 = new attach_flow_data_ib_ipv4_tcp_udp_v1_t(p_ring->m_p_qp_mgr);
+				attach_flow_data_ib_v1 = new_malloc<attach_flow_data_ib_ipv4_tcp_udp_v1_t>(p_ring->m_p_qp_mgr);
 				ibv_flow_spec_ib_set_by_dst_qpn(&(attach_flow_data_ib_v1->ibv_flow_attr.ib),
 							htonl(((IPoIB_addr*)p_ring->m_p_l2_addr)->get_qpn()));
 				p_ipv4 = &(attach_flow_data_ib_v1->ibv_flow_attr.ipv4);
@@ -68,7 +68,7 @@ bool rfs_uc::prepare_flow_spec()
 				break;
 			}
 #endif
-			attach_flow_data_ib_v2 = new attach_flow_data_ib_ipv4_tcp_udp_v2_t(p_ring->m_p_qp_mgr);
+			attach_flow_data_ib_v2 = new_malloc<attach_flow_data_ib_ipv4_tcp_udp_v2_t>(p_ring->m_p_qp_mgr);
 
 			p_ipv4 = &(attach_flow_data_ib_v2->ibv_flow_attr.ipv4);
 			p_tcp_udp = &(attach_flow_data_ib_v2->ibv_flow_attr.tcp_udp);
@@ -77,7 +77,7 @@ bool rfs_uc::prepare_flow_spec()
 			}
 		case VMA_TRANSPORT_ETH:
 			{
-			attach_flow_data_eth = new attach_flow_data_eth_ipv4_tcp_udp_t(p_ring->m_p_qp_mgr);
+			attach_flow_data_eth = new_malloc<attach_flow_data_eth_ipv4_tcp_udp_t>(p_ring->m_p_qp_mgr);
 
 			ibv_flow_spec_eth_set(&(attach_flow_data_eth->ibv_flow_attr.eth),
 					p_ring->m_p_l2_addr->get_address(),

src/vma/dev/time_converter_ptp.h

@@ -9,6 +9,7 @@
 #define TIME_CONVERTER_PTP_H
 
 #include <infiniband/verbs.h>
+#include "vma/ib/base/verbs_extra.h"
 #include "vma/event/timer_handler.h"
 #include <vma/util/sys_vars.h>
 #include "time_converter.h"

src/vma/event/delta_timer.cpp

@@ -200,19 +200,11 @@ void timer::process_registered_timers()
 	timer_node_t* iter = m_list_head;
 	timer_node_t* next_iter;
 	while (iter && (iter->delta_time_msec == milliseconds(0))) {
-		tmr_logfuncall("timer expired on %p", iter->handler);
-
-		/* Special check is need to protect
-		 * from using destroyed object pointed by handler
-		 * See unregister_timer_event()
-		 * Object can be destoyed from another thread (lock protection)
-		 * and from current thread (lock and lock count condition)
-		 */
-		if (iter->handler &&
-			!iter->lock_timer.trylock() &&
-			(1 == iter->lock_timer.is_locked_by_me())) {
-			iter->handler->handle_timer_expired(iter->user_data);
-			iter->lock_timer.unlock();
+		timer_handler * handler = iter->handler.load();
+		tmr_logfuncall("timer expired on %p", handler);
+
+		if (handler) {
+			handler->safe_handle_timer_expired(iter->user_data);
 		}
 		next_iter = iter->next;
 
@@ -225,13 +217,13 @@ void timer::process_registered_timers()
 			break;
 
 		case ONE_SHOT_TIMER:
-			remove_timer(iter, iter->handler);
+			remove_timer(iter, handler);
 			break;
 
 		BULLSEYE_EXCLUDE_BLOCK_START
 		case INVALID_TIMER:
 		default:
-			tmr_logwarn("invalid timer expired on %p", iter->handler);
+			tmr_logwarn("invalid timer expired on %p", handler);
 			break;
 		}
 		BULLSEYE_EXCLUDE_BLOCK_END