* [PATCH] chardev: close QIOChannel before unref'ing
@ 2024-01-10 11:16 Daniel P. Berrangé
2024-01-10 11:58 ` Marc-André Lureau
0 siblings, 1 reply; 2+ messages in thread
From: Daniel P. Berrangé @ 2024-01-10 11:16 UTC (permalink / raw)
To: qemu-devel
Cc: Paolo Bonzini, Marc-André Lureau, Daniel P. Berrangé,
jiangyegen
The chardev socket backend will unref the QIOChannel object while
it is still potentially open. When using TLS there could be a
pending TLS handshake taking place. If the channel is left open
then when the TLS handshake callback runs, it can end up accessing
free'd memory in the tcp_chr_tls_handshake method.
Closing the QIOChannel will unregister any pending handshake
source.
Reported-by: jiangyegen <jiangyegen@huawei.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
chardev/char-socket.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 73947da188..7105753815 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -378,6 +378,10 @@ static void tcp_chr_free_connection(Chardev *chr)
char_socket_yank_iochannel,
QIO_CHANNEL(s->sioc));
}
+
+ if (s->ioc) {
+ qio_channel_close(s->ioc, NULL);
+ }
object_unref(OBJECT(s->sioc));
s->sioc = NULL;
object_unref(OBJECT(s->ioc));
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] chardev: close QIOChannel before unref'ing
2024-01-10 11:16 [PATCH] chardev: close QIOChannel before unref'ing Daniel P. Berrangé
@ 2024-01-10 11:58 ` Marc-André Lureau
0 siblings, 0 replies; 2+ messages in thread
From: Marc-André Lureau @ 2024-01-10 11:58 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, jiangyegen
Hi
On Wed, Jan 10, 2024 at 3:16 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> The chardev socket backend will unref the QIOChannel object while
> it is still potentially open. When using TLS there could be a
> pending TLS handshake taking place. If the channel is left open
> then when the TLS handshake callback runs, it can end up accessing
> free'd memory in the tcp_chr_tls_handshake method.
>
> Closing the QIOChannel will unregister any pending handshake
> source.
ooh oh, one of those little things..
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(weak refs could be a solution? but it's also sometime tricky, and we
don't have those..)
>
> Reported-by: jiangyegen <jiangyegen@huawei.com>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> chardev/char-socket.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/chardev/char-socket.c b/chardev/char-socket.c
> index 73947da188..7105753815 100644
> --- a/chardev/char-socket.c
> +++ b/chardev/char-socket.c
> @@ -378,6 +378,10 @@ static void tcp_chr_free_connection(Chardev *chr)
> char_socket_yank_iochannel,
> QIO_CHANNEL(s->sioc));
> }
> +
> + if (s->ioc) {
> + qio_channel_close(s->ioc, NULL);
> + }
> object_unref(OBJECT(s->sioc));
> s->sioc = NULL;
> object_unref(OBJECT(s->ioc));
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-01-10 11:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-10 11:16 [PATCH] chardev: close QIOChannel before unref'ing Daniel P. Berrangé
2024-01-10 11:58 ` Marc-André Lureau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).