dialog: re-read state under lock before bye_on_timeout (GH-3835)

NormB · NormB · commit 887d200d24fa · 2026-03-27T11:06:58.000-04:00
Fix A (timer removal under lock) and Fix B (cached state read at top of dlg_ontimeout) from commit 196b51f are insufficient for a third race path: 1. Timer fires, dlg_ontimeout reads dlg_state=CONFIRMED under lock 2. BYE arrives on another worker, next_state_dlg transitions to DELETED (timer removal inside lock returns >0: already dequeued) 3. Timer handler still sees cached dlg_state==CONFIRMED 4. Timer enters bye_on_timeout: dlg_end_dlg() + unref_dlg(1) 5. BYE worker completes its unref chain, destroys dialog 6. Timer callbacks access freed memory -> bogus ref -1 Fix: re-read dlg->state under the hash lock immediately before each critical decision point (rt_on_timeout route and bye_on_timeout path). Ref: #3835
diff --git a/modules/dialog/dlg_handlers.c b/modules/dialog/dlg_handlers.c
@@ -2487,6 +2487,15 @@ void dlg_ontimeout(struct dlg_tl *tl)
 		}
 	}
 
+	/* Re-read state under lock before running on_timeout route.
+	 * The cached dlg_state from the top of this function may be stale
+	 * if a BYE arrived between our initial read and now - a concurrent
+	 * worker may have transitioned the dialog to DELETED.
+	 * (GH-3835, third race path) */
+	dlg_lock(d_table, d_entry);
+	dlg_state = dlg->state;
+	dlg_unlock(d_table, d_entry);
+
 	if (do_expire_actions
 	&& ref_script_route_check_and_update(dlg->rt_on_timeout)
 	&& dlg_state<DLG_STATE_DELETED) {
@@ -2515,6 +2524,17 @@ void dlg_ontimeout(struct dlg_tl *tl)
 		 * here, as the following code will do this for us later */
 	}
 
+	/* Re-check state under lock immediately before acting on it.
+	 * The cached dlg_state may be stale if a BYE worker transitioned
+	 * the dialog to DELETED between our initial read and now.  Without
+	 * this re-read, the timer handler enters the bye_on_timeout path,
+	 * calls dlg_end_dlg() + unref, while the BYE worker also completes
+	 * its unref chain - resulting in "bogus ref -1 with cnt 1".
+	 * (GH-3835, third race path) */
+	dlg_lock(d_table, d_entry);
+	dlg_state = dlg->state;
+	dlg_unlock(d_table, d_entry);
+
 	if ((dlg->flags&DLG_FLAG_BYEONTIMEOUT) &&
 	(dlg_state==DLG_STATE_CONFIRMED_NA || dlg_state==DLG_STATE_CONFIRMED)) {
 
