[libvirt] [PATCHv3 6/6] rpc: Fix connection close callback race condition and memory corruption/crash

[Peter Krempa]

On 04/05/13 04:50, Eric Blake wrote:
> On 03/31/2013 10:20 AM, Peter Krempa wrote:
>> The last Viktor's effort to fix the race and memory corruption unfortunately
>> wasn't complete in the case the close callback was not registered in an
>> connection. At that time, the trail of event's that I'll describe later could
>> still happend and corrupt the memory or cause a crash of the client (including
>> the daemon in case of a p2p migration).
>
>>
>> The new object - virConnectCloseCallbackData - is a lockable object that keeps
>> the pointers to the real user registered callback and ensures that the
>> connection callback is either not called if the connection was already freed or
>> that the connection isn't freed while this is being called.
>> ---
>>   src/datatypes.c            | 55 ++++++++++++++++++++++++++++++++++++--------
>>   src/datatypes.h            | 22 ++++++++++++++----
>>   src/libvirt.c              | 29 ++++++++++++-----------
>>   src/remote/remote_driver.c | 57 +++++++++++++++++++++++++++-------------------
>>   4 files changed, 112 insertions(+), 51 deletions(-)
>
> I've (finally) completed my stress-testing, and agree that this patch is
> sufficient to avoid the race (especially when patch 1/6 is also applied
> to make the race more obvious).
>
> ACK, and let's get this applied and backported to maintenance branches
> as appropriate.

Thanks I've pushed this upstream and I will post a 0.10.2 backport later.

Peter