From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Wangjing(Hogan)" <hogan.wang@huawei.com>
Cc: "Marc-André Lureau" <marcandre.lureau@gmail.com>,
"Markus Armbruster" <armbru@redhat.com>,
QEMU <qemu-devel@nongnu.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Wangxin (Alexander)" <wangxinxin.wang@huawei.com>
Subject: Re: [PATCH v2] chardev: avoid use-after-free when client disconnect
Date: Wed, 20 Jul 2022 10:00:45 +0100 [thread overview]
Message-ID: <YtfEPToCzYz2Etvy@redhat.com> (raw)
In-Reply-To: <30274fbaea9d437baff2d703a203f9a8@huawei.com>
On Wed, Jul 20, 2022 at 08:55:46AM +0000, Wangjing(Hogan) wrote:
>
> > On Wed, Jul 20, 2022 at 11:36:07AM +0400, Marc-André Lureau wrote:
> > > Hi
> > >
> > > On Wed, Jul 20, 2022 at 11:13 AM Hogan Wang via
> > > <qemu-devel@nongnu.org>
> > > wrote:
> > >
> > > > IOWatchPoll object did not hold the @ioc and @src objects reference,
> > > > then io_watch_poll_prepare execute in IO thread, if IOWatchPoll
> > > > removed by mian thread, then io_watch_poll_prepare access @ioc or
> > > >
> > >
> > > mian->main
> > >
> > >
> > > > @src concurrently lead to coredump.
> > > >
> > > > In IO thread monitor scene, the IO thread used to accept client,
> > > > receive qmp request and handle hung-up event. Main thread used to
> > > > handle qmp request and send response, it will remove IOWatchPoll and
> > > > free @ioc when send response fail, then cause use-after-free
> > > >
> > >
> > > I wonder if we are misusing GSources in that case, by removing sources
> > > from different threads.. Could you be more specific about the code
> > > path that leads to that?
> >
> > It is permitted, but unfortunately every version of glib prior to 2.64 has a race condition that means you'll periodically get a use-after-free and a crash:
> >
> > https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1358
> >
> > Libvirt worked around this problem by not calling 'g_source_unref'
> > directly, but instead have a helper that uses g_idle_add to delay the unref such that its guaranteed to happen inside the main event loop thread.
> >
> > So I'd like to know what version of glib Hogan is using
>
> I am using glib2-2.62.5 in test environment, so it's looks like a glib2 known issue.
Hmm, actually the fix should have been backported into the 2.62.5
release according to this
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1361
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2022-07-20 9:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-20 8:55 [PATCH v2] chardev: avoid use-after-free when client disconnect Wangjing(Hogan) via
2022-07-20 9:00 ` Daniel P. Berrangé [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-07-20 10:07 Wangjing(Hogan) via
2022-07-20 7:10 Hogan Wang via
2022-07-20 7:36 ` Marc-André Lureau
2022-07-20 8:19 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtfEPToCzYz2Etvy@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=hogan.wang@huawei.com \
--cc=marcandre.lureau@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=wangxinxin.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.