libxl: Fix possible object refcnt issue

When libxlDomainMigrationDstPrepare adds the @args to an virNetSocketAddIOCallback using libxlMigrateDstReceive as the target of the virNetSocketIOFunc @func with the knowledge that the libxlMigrateDstReceive will virObjectUnref @args at the end thus not needing to Unref during normal processing for libxlDomainMigrationDstPrepare. However, Coverity believes there's an issue with this. The problem is there can be @nsocks virNetSocketAddIOCallback's added, but only one virObjectUnref. That means the first one done will Unref and the subsequent callers may not get the @args (or @opaque) as they expected. If there's only one socket returned from virNetSocketNewListenTCP, then sure that works. However, if it returned more than one there's going to be a problem. To resolve this, since we start with 1 reference from the virObjectNew for @args, we will add 1 reference for each time @args is used for virNetSocketAddIOCallback. Then since libxlDomainMigrationDstPrepare would be done with @args, move it's virObjectUnref from the error: label to the done: label (since error: falls through). That way once the last IOCallback is done, then @args will be freed. Signed-off-by: John Ferlan <jferlan@redhat.com> ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2025-01-22 12:35:17 +00:00 · 2018-09-27 17:41:07 -04:00 · 2018-09-27 17:41:07 -04:00 · 425b9f8aa6
commit 425b9f8aa6
parent 6830c81307
1 changed files with 2 additions and 2 deletions
--- a/src/libxl/libxl_migration.c
+++ b/src/libxl/libxl_migration.c
@ -793,7 +793,7 @@ libxlDomainMigrationDstPrepare(virConnectPtr dconn,
        if (virNetSocketAddIOCallback(socks[i],
                                      VIR_EVENT_HANDLE_READABLE,
                                      libxlMigrateDstReceive,
-                                      args,
+                                      virObjectRef(args),
                                      NULL) < 0)
            continue;

@ -815,7 +815,6 @@ libxlDomainMigrationDstPrepare(virConnectPtr dconn,
        virObjectUnref(socks[i]);
    }
    VIR_FREE(socks);
-    virObjectUnref(args);
    if (priv) {
        virPortAllocatorRelease(priv->migrationPort);
        priv->migrationPort = 0;
@ -831,6 +830,7 @@ libxlDomainMigrationDstPrepare(virConnectPtr dconn,
        VIR_FREE(hostname);
    else
        virURIFree(uri);
+    virObjectUnref(args);
    virDomainObjEndAPI(&vm);
    virObjectUnref(cfg);
    return ret;