Fix use-after-free in tl_pending_args across subinterpreters

benoitc · benoitc · commit 748d9339acdb · 2026-03-10T22:56:10.000+01:00
Clear tl_pending_args to NULL whenever tl_pending_callback is set to
false. Previously, the thread-local pointer was left dangling after
callback completion. When a dirty scheduler thread later handled a
different subinterpreter's code, Py_XDECREF on the stale pointer
would attempt to free memory from the wrong allocator.
diff --git a/c_src/py_callback.c b/c_src/py_callback.c
@@ -563,6 +563,7 @@ static PyObject *build_pending_callback_exc_args(void) {
     PyObject *exc_args = PyTuple_New(3);
     if (exc_args == NULL) {
         tl_pending_callback = false;
+        Py_CLEAR(tl_pending_args);
         return NULL;
     }
 
@@ -575,6 +576,7 @@ static PyObject *build_pending_callback_exc_args(void) {
         Py_XDECREF(func_name_obj);
         Py_DECREF(exc_args);
         tl_pending_callback = false;
+        Py_CLEAR(tl_pending_args);
         return NULL;
     }
 
@@ -610,6 +612,7 @@ static ERL_NIF_TERM build_suspended_result(ErlNifEnv *env, suspended_state_t *su
     ERL_NIF_TERM args_term = py_to_term(env, tl_pending_args);
 
     tl_pending_callback = false;
+    Py_CLEAR(tl_pending_args);
 
     return enif_make_tuple4(env,
         ATOM_SUSPENDED,
@@ -811,6 +814,7 @@ static ERL_NIF_TERM build_suspended_context_result(ErlNifEnv *env, suspended_con
     ERL_NIF_TERM args_term = py_to_term(env, tl_pending_args);
 
     tl_pending_callback = false;
+    Py_CLEAR(tl_pending_args);
 
     return enif_make_tuple4(env,
         ATOM_SUSPENDED,
@@ -1553,6 +1557,7 @@ static PyObject *erlang_call_impl(PyObject *self, PyObject *args) {
     tl_pending_func_name = enif_alloc(func_name_len + 1);
     if (tl_pending_func_name == NULL) {
         tl_pending_callback = false;
+        Py_CLEAR(tl_pending_args);
         Py_DECREF(call_args);
         PyErr_SetString(PyExc_MemoryError, "Failed to allocate function name");
         return NULL;
@@ -1561,9 +1566,12 @@ static PyObject *erlang_call_impl(PyObject *self, PyObject *args) {
     tl_pending_func_name[func_name_len] = '\0';
     tl_pending_func_name_len = func_name_len;
 
-    /* Store args (take ownership) */
-    Py_XDECREF(tl_pending_args);
-    tl_pending_args = call_args;  /* Takes ownership, don't decref */
+    /* Store args (take ownership)
+     * Use Py_XSETREF for swap-first pattern: sets tl_pending_args to new value
+     * BEFORE decref'ing old value. This prevents re-entrancy issues if the old
+     * object's finalizer triggers another erlang.call() during decref.
+     */
+    Py_XSETREF(tl_pending_args, call_args);
 
     /* Raise exception to abort Python execution */
     PyErr_SetString(SuspensionRequiredException, "callback pending");
@@ -2649,6 +2657,7 @@ static ERL_NIF_TERM nif_resume_callback_dirty(ErlNifEnv *env, int argc, const ER
                     Py_DECREF(exc_args);
                     if (new_suspended == NULL) {
                         tl_pending_callback = false;
+                        Py_CLEAR(tl_pending_args);
                         result = make_error(env, "create_nested_suspended_state_failed");
                     } else {
                         result = build_suspended_result(env, new_suspended);
@@ -2717,6 +2726,7 @@ static ERL_NIF_TERM nif_resume_callback_dirty(ErlNifEnv *env, int argc, const ER
                         Py_DECREF(exc_args);
                         if (new_suspended == NULL) {
                             tl_pending_callback = false;
+                            Py_CLEAR(tl_pending_args);
                             result = make_error(env, "create_nested_suspended_state_failed");
                         } else {
                             result = build_suspended_result(env, new_suspended);
diff --git a/c_src/py_exec.c b/c_src/py_exec.c
@@ -306,6 +306,7 @@ static void process_request(py_request_t *req) {
                     Py_DECREF(exc_args);
                     if (suspended == NULL) {
                         tl_pending_callback = false;
+                        Py_CLEAR(tl_pending_args);
                         req->result = make_error(env, "create_suspended_state_failed");
                     } else {
                         req->result = build_suspended_result(env, suspended);
@@ -393,6 +394,7 @@ static void process_request(py_request_t *req) {
                         Py_DECREF(exc_args);
                         if (suspended == NULL) {
                             tl_pending_callback = false;
+                            Py_CLEAR(tl_pending_args);
                             req->result = make_error(env, "create_suspended_state_failed");
                         } else {
                             req->result = build_suspended_result(env, suspended);
diff --git a/c_src/py_nif.c b/c_src/py_nif.c
@@ -2280,6 +2280,7 @@ static ERL_NIF_TERM nif_context_call(ErlNifEnv *env, int argc, const ERL_NIF_TER
 
             if (suspended == NULL) {
                 tl_pending_callback = false;
+                Py_CLEAR(tl_pending_args);
                 result = make_error(env, "create_suspended_state_failed");
             } else {
                 result = build_suspended_context_result(env, suspended);
@@ -2382,6 +2383,7 @@ static ERL_NIF_TERM nif_context_eval(ErlNifEnv *env, int argc, const ERL_NIF_TER
 
             if (suspended == NULL) {
                 tl_pending_callback = false;
+                Py_CLEAR(tl_pending_args);
                 result = make_error(env, "create_suspended_state_failed");
             } else {
                 result = build_suspended_context_result(env, suspended);
@@ -2867,12 +2869,14 @@ static ERL_NIF_TERM nif_context_resume(ErlNifEnv *env, int argc, const ERL_NIF_T
 
                 if (nested == NULL) {
                     tl_pending_callback = false;
+                    Py_CLEAR(tl_pending_args);
                     result = make_error(env, "create_nested_suspended_state_failed");
                 } else {
                     /* Copy accumulated callback results from parent to nested state */
                     if (copy_callback_results_to_nested(nested, state) != 0) {
                         enif_release_resource(nested);
                         tl_pending_callback = false;
+                        Py_CLEAR(tl_pending_args);
                         result = make_error(env, "copy_callback_results_failed");
                     } else {
                         result = build_suspended_context_result(env, nested);
@@ -2921,12 +2925,14 @@ static ERL_NIF_TERM nif_context_resume(ErlNifEnv *env, int argc, const ERL_NIF_T
 
                 if (nested == NULL) {
                     tl_pending_callback = false;
+                    Py_CLEAR(tl_pending_args);
                     result = make_error(env, "create_nested_suspended_state_failed");
                 } else {
                     /* Copy accumulated callback results from parent to nested state */
                     if (copy_callback_results_to_nested(nested, state) != 0) {
                         enif_release_resource(nested);
                         tl_pending_callback = false;
+                        Py_CLEAR(tl_pending_args);
                         result = make_error(env, "copy_callback_results_failed");
                     } else {
                         result = build_suspended_context_result(env, nested);
