From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org
Cc: Geoffrey McRae <geoff@hostfission.com>,
Paolo Bonzini <pbonzini@redhat.com>,
kraxel@redhat.com
Subject: Re: [PATCH v8 1/1] audio/jack: fix use after free segfault
Date: Sat, 22 Aug 2020 08:58:41 +0200 [thread overview]
Message-ID: <4344040.8rWxCWeqvY@silver> (raw)
In-Reply-To: <1f240cabf78098364f7c0a7d399e2773@hostfission.com>
On Samstag, 22. August 2020 02:16:23 CEST Geoffrey McRae wrote:
> On 2020-08-22 03:47, Paolo Bonzini wrote:
> > On 21/08/20 19:34, Christian Schoenebeck wrote:
> >>> static void qjack_fini_out(HWVoiceOut *hw)
> >>> {
> >>>
> >>> QJackOut *jo = (QJackOut *)hw;
> >>> qjack_client_fini(&jo->c);
> >>>
> >>> +
> >>> + qemu_bh_delete(jo->c.shutdown_bh);
> >>
> >> Paolo wrapped that qemu_bh_delete() call inside the lock as well. So I
> >> guess
> >> it makes a difference for the BH API?
> >
> > It is not a problem as long as qjack_client_fini is idempotent.
>
> `qjack_client_fini` is indeed idempotent
Right.
> >>> + qemu_mutex_destroy(&jo->c.shutdown_lock);
> >>>
> >>> }
> >>
> >> Hmmm, is this qemu_mutex_destroy() safe at this point?
> >
> > Perhaps make the mutex global and not destroy it at all.
>
> It's safe at this point as `qjack_fini_out` is only called at device
> destruction, and `qjack_client_fini` ensures that JACK is shut down
> which prevents jack from trying to call the shutdown event handler.
You mean because jack_client_close() is synchronized. That prevents JACK from
firing the callback after jack_client_close() returns, that's correct.
But as qemu_bh_delete() is async, you do not have a guarantee that a
previously scheduled BH shutdown handler is no longer running. So it might
still hold the lock when you attempt to destroy the mutex.
On doubt I would do like Paolo suggested by making the mutex global and not
destroying it at all.
Best regards,
Christian Schoenebeck
next prev parent reply other threads:[~2020-08-22 6:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-21 13:45 [PATCH v8 0/1] audio/jack: fix use after free segfault Geoffrey McRae
2020-08-21 13:45 ` [PATCH v8 1/1] " Geoffrey McRae
2020-08-21 17:34 ` Christian Schoenebeck
2020-08-21 17:47 ` Paolo Bonzini
2020-08-22 0:16 ` Geoffrey McRae
2020-08-22 6:58 ` Christian Schoenebeck [this message]
2020-11-07 0:04 ` [PATCH v8 0/1] " Geoffrey McRae
2020-11-07 0:04 ` [PATCH v9 1/1] " Geoffrey McRae
2020-11-07 9:58 ` Christian Schoenebeck
2020-11-07 10:09 ` Christian Schoenebeck
2020-11-08 6:33 ` [PATCH v10 0/1] " Geoffrey McRae
2020-11-08 6:33 ` [PATCH v10 1/1] " Geoffrey McRae
2020-11-08 11:09 ` Christian Schoenebeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4344040.8rWxCWeqvY@silver \
--to=qemu_oss@crudebyte.com \
--cc=geoff@hostfission.com \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.