From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, kwolf@redhat.com,
qemu-stable@nongnu.org
Subject: Re: [PATCH v2 03/12] qio: Unwatch before notify in QIONetListener
Date: Mon, 10 Nov 2025 16:00:42 +0000 [thread overview]
Message-ID: <aRIMKry8h336cPup@redhat.com> (raw)
In-Reply-To: <20251108230525.3169174-17-eblake@redhat.com>
On Sat, Nov 08, 2025 at 04:59:24PM -0600, Eric Blake wrote:
> When changing the callback registered with QIONetListener, the code
> was calling notify on the old opaque data prior to actually removing
> the old GSource objects still pointing to that data. Similarly,
> during finalize, it called notify before tearing down the various
> GSource objects tied to the data.
>
> In practice, a grep of the QEMU code base found that every existing
> client of QIONetListener passes in a NULL notifier (the opaque data,
> if non-NULL, outlives the NetListener and so does not need cleanup
> when the NetListener is torn down), so this patch has no impact. And
> even if a caller had passed in a reference-counted object with a
> notifier of object_unref but kept its own reference on the data, then
> the early notify would merely reduce a refcount from (say) 2 to 1, but
> not free the object. However, it is a latent bug waiting to bite any
> future caller that passes in data where the notifier actually frees
> the object, because the GSource could then trigger a use-after-free if
> it loses the race on a last-minute client connection resulting in the
> data being passed to one final use of the async callback.
>
> Better is to delay the notify call until after all GSource that have
> been given a copy of the opaque data are torn down.
>
> CC: qemu-stable@nongnu.org
> Fixes: 530473924d "io: introduce a network socket listener API", v2.12.0
> Signed-off-by: Eric Blake <eblake@redhat.com>
>
> ---
> v2: new patch, split out from 4/8 to leave that one as just pure
> refactoring, and call attention to this being a latent bug fix
> ---
> io/net-listener.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-11-10 16:01 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-08 22:59 [PATCH v2 00/12] Fix deadlock with bdrv_open of self-served NBD Eric Blake
2025-11-08 22:59 ` [PATCH v2 01/12] iotests: Drop execute permissions on vvfat.out Eric Blake
2025-11-10 15:57 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 02/12] qio: Add trace points to net_listener Eric Blake
2025-11-10 15:58 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 03/12] qio: Unwatch before notify in QIONetListener Eric Blake
2025-11-10 16:00 ` Daniel P. Berrangé [this message]
2025-11-08 22:59 ` [PATCH v2 04/12] qio: Remember context of qio_net_listener_set_client_func_full Eric Blake
2025-11-10 16:08 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 05/12] qio: Minor optimization when callback function is unchanged Eric Blake
2025-11-10 16:09 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 06/12] qio: Factor out helpers qio_net_listener_[un]watch Eric Blake
2025-11-10 16:14 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 07/12] qio: Hoist ref of listener outside loop Eric Blake
2025-11-11 14:43 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 08/12] qio: Provide accessor around QIONetListener->sioc Eric Blake
2025-11-10 18:31 ` Eric Blake
2025-11-11 14:15 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 09/12] qio: Prepare NetListener to use AioContext Eric Blake
2025-11-11 14:17 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 10/12] qio: Add QIONetListener API for using AioContext Eric Blake
2025-11-11 14:18 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 11/12] nbd: Avoid deadlock in client connecting to same-process server Eric Blake
2025-11-11 14:20 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 12/12] iotests: Add coverage of recent NBD qio deadlock fix Eric Blake
2025-11-10 16:19 ` Daniel P. Berrangé
2025-11-12 6:35 ` Vladimir Sementsov-Ogievskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRIMKry8h336cPup@redhat.com \
--to=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.