mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-05 12:35:20 +00:00
2065499b60
If a remote call fails during event registration (more than likely from a network failure or remote libvirtd restart timed just right), then when calling the virObjectEventStateDeregisterID we don't want to call the registered @freecb function because that breaks our contract that we would only call it after succesfully returning. If the @freecb routine were called, it could result in a double free from properly coded applications that free their opaque data on failure to register, as seen in the following details: Program terminated with signal 6, Aborted. #0 0x00007fc45cba15d7 in raise #1 0x00007fc45cba2cc8 in abort #2 0x00007fc45cbe12f7 in __libc_message #3 0x00007fc45cbe86d3 in _int_free #4 0x00007fc45d8d292c in PyDict_Fini #5 0x00007fc45d94f46a in Py_Finalize #6 0x00007fc45d960735 in Py_Main #7 0x00007fc45cb8daf5 in __libc_start_main #8 0x0000000000400721 in _start The double dereference of 'pyobj_cbData' is triggered in the following way: (1) libvirt_virConnectDomainEventRegisterAny is invoked. (2) the event is successfully added to the event callback list (virDomainEventStateRegisterClient in remoteConnectDomainEventRegisterAny returns 1 which means ok). (3) when function remoteConnectDomainEventRegisterAny is hit, network connection disconnected coincidently (or libvirtd is restarted) in the context of function 'call' then the connection is lost and the function 'call' failed, the branch virObjectEventStateDeregisterID is therefore taken. (4) 'pyobj_conn' is dereferenced the 1st time in libvirt_virConnectDomainEventFreeFunc. (5) 'pyobj_cbData' (refered to pyobj_conn) is dereferenced the 2nd time in libvirt_virConnectDomainEventRegisterAny. (6) the double free error is triggered. Resolve this by adding a @doFreeCb boolean in order to avoid calling the freeCb in virObjectEventStateDeregisterID for any remote call failure in a remoteConnect*EventRegister* API. For remoteConnect*EventDeregister* calls, the passed value would be true indicating they should run the freecb if it exists; whereas, it's false for the remote call failure path. Patch based on the investigation and initial patch posted by fangying <fangying1@huawei.com>.
95 lines
3.0 KiB
C
95 lines
3.0 KiB
C
/*
|
|
* object_event.h: object event queue processing helpers
|
|
*
|
|
* Copyright (C) 2012-2014 Red Hat, Inc.
|
|
* Copyright (C) 2008 VirtualIron
|
|
* Copyright (C) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library. If not, see
|
|
* <http://www.gnu.org/licenses/>.
|
|
*
|
|
* Author: Ben Guthro
|
|
*/
|
|
|
|
#include "internal.h"
|
|
|
|
#include "virobject.h"
|
|
|
|
#ifndef __OBJECT_EVENT_H__
|
|
# define __OBJECT_EVENT_H__
|
|
|
|
/**
|
|
* Dispatching domain events that come in while
|
|
* in a call / response rpc
|
|
*/
|
|
typedef struct _virObjectEvent virObjectEvent;
|
|
typedef virObjectEvent *virObjectEventPtr;
|
|
|
|
typedef struct _virObjectEventState virObjectEventState;
|
|
typedef virObjectEventState *virObjectEventStatePtr;
|
|
|
|
|
|
virObjectEventStatePtr
|
|
virObjectEventStateNew(void);
|
|
|
|
/**
|
|
* virConnectObjectEventGenericCallback:
|
|
* @conn: the connection pointer
|
|
* @obj: the object pointer
|
|
* @opaque: application specified data
|
|
*
|
|
* A generic object event callback handler. Specific events usually
|
|
* have a customization with extra parameters
|
|
*/
|
|
typedef void (*virConnectObjectEventGenericCallback)(virConnectPtr conn,
|
|
void *obj,
|
|
void *opaque);
|
|
|
|
# define VIR_OBJECT_EVENT_CALLBACK(cb) \
|
|
((virConnectObjectEventGenericCallback)(cb))
|
|
|
|
void
|
|
virObjectEventStateQueue(virObjectEventStatePtr state,
|
|
virObjectEventPtr event)
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
|
|
|
|
void
|
|
virObjectEventStateQueueRemote(virObjectEventStatePtr state,
|
|
virObjectEventPtr event,
|
|
int remoteID)
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
|
|
|
|
int
|
|
virObjectEventStateDeregisterID(virConnectPtr conn,
|
|
virObjectEventStatePtr state,
|
|
int callbackID,
|
|
bool doFreeCb)
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
|
|
|
|
int
|
|
virObjectEventStateEventID(virConnectPtr conn,
|
|
virObjectEventStatePtr state,
|
|
int callbackID,
|
|
int *remoteID)
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
|
|
|
|
void
|
|
virObjectEventStateSetRemote(virConnectPtr conn,
|
|
virObjectEventStatePtr state,
|
|
int callbackID,
|
|
int remoteID)
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
|
|
|
|
#endif
|