From 5a4057ee4d181ba3b6bd3adb361b6559ace62c6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Plewa?= <lukasz.plewa@intel.com>
Date: Thu, 28 Feb 2019 16:36:51 +0100
Subject: [PATCH] obj: fix use after free in heap_cleanup

By the time tls_destructor was called arena was already destroyed

fixes: d2fc16caed3c7fe2f188ab1bf44687c939b7c7e1
---
 src/libpmemobj/heap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libpmemobj/heap.c b/src/libpmemobj/heap.c
index b6e3e01f5..33c6d2048 100644
--- a/src/libpmemobj/heap.c
+++ b/src/libpmemobj/heap.c
@@ -1258,6 +1258,7 @@ heap_cleanup(struct palloc_heap *heap)
 
 	alloc_class_collection_delete(rt->alloc_classes);
 
+	os_tls_key_delete(rt->thread_arena);
 	bucket_delete(rt->default_bucket);
 
 	for (unsigned i = 0; i < rt->narenas; ++i)
@@ -1268,7 +1269,6 @@ heap_cleanup(struct palloc_heap *heap)
 
 	util_mutex_destroy(&rt->arenas_lock);
 
-	os_tls_key_delete(rt->thread_arena);
 
 	Free(rt->arenas);
 
-- 
GitLab