session server BUGFIX call home deadlock

Whenever a CH client is listening before a CH endpoint is created by the
server, a deadlock happens where the server's CH thread tries to grab
the config READ lock for a second time in ignored mod check (grabs it
for the 1st time in ch_client_thread). The config applying thread then
gets hung up in apply_diff on WRITE lock acquisition.

This commit removes the 2nd READ lock acquisition of the CH thread,
removing the deadlock scenario.

Fixes CESNET/netopeer2#1787

Author: Roytak

src/session.c

@@ -1116,8 +1116,16 @@ add_cpblt(const char *capab, char ***cpblts, int *size, int *count)
     ++(*count);
 }
 
-API char **
-nc_server_get_cpblts_version(const struct ly_ctx *ctx, LYS_VERSION version)
+/**
+ * @brief Get the server capabilities.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] version YANG version of the schemas to be included in result.
+ * @param[in] config_locked Whether the configuration lock is already held or should be acquired.
+ * @return Array of capabilities, NULL on error.
+ */
+static char **
+_nc_server_get_cpblts_version(const struct ly_ctx *ctx, LYS_VERSION version, int config_locked)
 {
     char **cpblts;
     const struct lys_module *mod;
@@ -1232,7 +1240,7 @@ nc_server_get_cpblts_version(const struct ly_ctx *ctx, LYS_VERSION version)
     /* models */
     u = 0;
     while ((mod = ly_ctx_get_module_iter(ctx, &u))) {
-        if (nc_server_is_mod_ignored(mod->name)) {
+        if (nc_server_is_mod_ignored(mod->name, config_locked)) {
             /* ignored, not part of the cababilities */
             continue;
         }
@@ -1337,10 +1345,16 @@ nc_server_get_cpblts_version(const struct ly_ctx *ctx, LYS_VERSION version)
     return NULL;
 }
 
+API char **
+nc_server_get_cpblts_version(const struct ly_ctx *ctx, LYS_VERSION version)
+{
+    return _nc_server_get_cpblts_version(ctx, version, 0);
+}
+
 API char **
 nc_server_get_cpblts(const struct ly_ctx *ctx)
 {
-    return nc_server_get_cpblts_version(ctx, LYS_VERSION_UNDEF);
+    return _nc_server_get_cpblts_version(ctx, LYS_VERSION_UNDEF, 0);
 }
 
 static int
@@ -1400,8 +1414,15 @@ parse_cpblts(struct lyd_node *capabilities, char ***list)
     return ver;
 }
 
+/**
+ * @brief Send NETCONF hello message on a session.
+ *
+ * @param[in] session Session to send the message on.
+ * @param[in] config_locked Whether the configuration READ lock is already held (only relevant for server side).
+ * @return Sent message type.
+ */
 static NC_MSG_TYPE
-nc_send_hello_io(struct nc_session *session)
+nc_send_hello_io(struct nc_session *session, int config_locked)
 {
     NC_MSG_TYPE ret;
     int i, timeout_io;
@@ -1419,7 +1440,7 @@ nc_send_hello_io(struct nc_session *session)
         timeout_io = NC_CLIENT_HELLO_TIMEOUT * 1000;
         sid = NULL;
     } else {
-        cpblts = nc_server_get_cpblts_version(session->ctx, LYS_VERSION_1_0);
+        cpblts = _nc_server_get_cpblts_version(session->ctx, LYS_VERSION_1_0, config_locked);
         if (!cpblts) {
             return NC_MSG_ERROR;
         }
@@ -1609,7 +1630,7 @@ nc_handshake_io(struct nc_session *session)
 {
     NC_MSG_TYPE type;
 
-    type = nc_send_hello_io(session);
+    type = nc_send_hello_io(session, 0);
     if (type != NC_MSG_HELLO) {
         return type;
     }
@@ -1623,6 +1644,26 @@ nc_handshake_io(struct nc_session *session)
     return type;
 }
 
+NC_MSG_TYPE
+nc_ch_handshake_io(struct nc_session *session)
+{
+    NC_MSG_TYPE type;
+
+    if ((session->side != NC_SERVER) || !(session->flags & NC_SESSION_CALLHOME)) {
+        ERR(session, "Call Home handshake can only be performed on a server session with Call Home flag set.");
+        return NC_MSG_ERROR;
+    }
+
+    type = nc_send_hello_io(session, 1);
+    if (type != NC_MSG_HELLO) {
+        return type;
+    }
+
+    type = nc_server_recv_hello_io(session);
+
+    return type;
+}
+
 #ifdef NC_ENABLED_SSH_TLS
 
 /**

src/session_p.h

@@ -1227,6 +1227,15 @@ int nc_ctx_check_and_fill(struct nc_session *session);
  */
 NC_MSG_TYPE nc_handshake_io(struct nc_session *session);
 
+/**
+ * @brief Perform NETCONF handshake on a server-side Call Home session.
+ *
+ * @param[in] session NETCONF session to use.
+ * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message parsing fail,
+ * NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other error.
+ */
+NC_MSG_TYPE nc_ch_handshake_io(struct nc_session *session);
+
 /**
  * @brief Bind a socket to an address and a port.
  *
@@ -1434,9 +1443,10 @@ int nc_session_tls_crl_from_cert_ext_fetch(void *leaf_cert, void *cert_store, vo
  * @brief Check whether a module is not ignored by the server.
  *
  * @param[in] mod_name Module name to check.
+ * @param[in] config_locked Whether the configuration lock is already held or should be acquired in this function.
  * @return Whether the module is ignored.
  */
-int nc_server_is_mod_ignored(const char *mod_name);
+int nc_server_is_mod_ignored(const char *mod_name, int config_locked);
 
 /**
  * Functions

src/session_server.c

@@ -3016,7 +3016,7 @@ nc_connect_ch_endpt(struct nc_ch_endpt *endpt, nc_server_ch_session_acquire_ctx_
     (*session)->id = ATOMIC_INC_RELAXED(server_opts.new_session_id);
 
     /* NETCONF handshake */
-    msgtype = nc_handshake_io(*session);
+    msgtype = nc_ch_handshake_io(*session);
     if (msgtype != NC_MSG_HELLO) {
         goto fail;
     }
@@ -4514,14 +4514,16 @@ nc_server_notif_cert_expiration_thread_stop(int wait)
 #endif /* NC_ENABLED_SSH_TLS */
 
 int
-nc_server_is_mod_ignored(const char *mod_name)
+nc_server_is_mod_ignored(const char *mod_name, int config_locked)
 {
     int ignored = 0;
     LY_ARRAY_COUNT_TYPE i;
 
-    /* LOCK */
-    if (nc_rwlock_lock(&server_opts.config_lock, NC_RWLOCK_READ, NC_CONFIG_LOCK_TIMEOUT, __func__) != 1) {
-        return 0;
+    if (!config_locked) {
+        /* LOCK */
+        if (nc_rwlock_lock(&server_opts.config_lock, NC_RWLOCK_READ, NC_CONFIG_LOCK_TIMEOUT, __func__) != 1) {
+            return 0;
+        }
     }
 
     LY_ARRAY_FOR(server_opts.config.ignored_modules, i) {
@@ -4531,8 +4533,10 @@ nc_server_is_mod_ignored(const char *mod_name)
         }
     }
 
-    /* UNLOCK */
-    nc_rwlock_unlock(&server_opts.config_lock, __func__);
+    if (!config_locked) {
+        /* UNLOCK */
+        nc_rwlock_unlock(&server_opts.config_lock, __func__);
+    }
 
     return ignored;
 }