From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, kwolf@redhat.com,
qemu-stable@nongnu.org
Subject: Re: [PATCH v2 03/12] qio: Unwatch before notify in QIONetListener
Date: Mon, 10 Nov 2025 16:00:42 +0000 [thread overview]
Message-ID: <aRIMKry8h336cPup@redhat.com> (raw)
In-Reply-To: <20251108230525.3169174-17-eblake@redhat.com>
On Sat, Nov 08, 2025 at 04:59:24PM -0600, Eric Blake wrote:
> When changing the callback registered with QIONetListener, the code
> was calling notify on the old opaque data prior to actually removing
> the old GSource objects still pointing to that data. Similarly,
> during finalize, it called notify before tearing down the various
> GSource objects tied to the data.
>
> In practice, a grep of the QEMU code base found that every existing
> client of QIONetListener passes in a NULL notifier (the opaque data,
> if non-NULL, outlives the NetListener and so does not need cleanup
> when the NetListener is torn down), so this patch has no impact. And
> even if a caller had passed in a reference-counted object with a
> notifier of object_unref but kept its own reference on the data, then
> the early notify would merely reduce a refcount from (say) 2 to 1, but
> not free the object. However, it is a latent bug waiting to bite any
> future caller that passes in data where the notifier actually frees
> the object, because the GSource could then trigger a use-after-free if
> it loses the race on a last-minute client connection resulting in the
> data being passed to one final use of the async callback.
>
> Better is to delay the notify call until after all GSource that have
> been given a copy of the opaque data are torn down.
>
> CC: qemu-stable@nongnu.org
> Fixes: 530473924d "io: introduce a network socket listener API", v2.12.0
> Signed-off-by: Eric Blake <eblake@redhat.com>
>
> ---
> v2: new patch, split out from 4/8 to leave that one as just pure
> refactoring, and call attention to this being a latent bug fix
> ---
> io/net-listener.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-11-10 16:01 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-08 22:59 [PATCH v2 00/12] Fix deadlock with bdrv_open of self-served NBD Eric Blake
2025-11-08 22:59 ` [PATCH v2 01/12] iotests: Drop execute permissions on vvfat.out Eric Blake
2025-11-10 15:57 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 02/12] qio: Add trace points to net_listener Eric Blake
2025-11-10 15:58 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 03/12] qio: Unwatch before notify in QIONetListener Eric Blake
2025-11-10 16:00 ` Daniel P. Berrangé [this message]
2025-11-08 22:59 ` [PATCH v2 04/12] qio: Remember context of qio_net_listener_set_client_func_full Eric Blake
2025-11-10 16:08 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 05/12] qio: Minor optimization when callback function is unchanged Eric Blake
2025-11-10 16:09 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 06/12] qio: Factor out helpers qio_net_listener_[un]watch Eric Blake
2025-11-10 16:14 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 07/12] qio: Hoist ref of listener outside loop Eric Blake
2025-11-11 14:43 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 08/12] qio: Provide accessor around QIONetListener->sioc Eric Blake
2025-11-10 18:31 ` Eric Blake
2025-11-11 14:15 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 09/12] qio: Prepare NetListener to use AioContext Eric Blake
2025-11-11 14:17 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 10/12] qio: Add QIONetListener API for using AioContext Eric Blake
2025-11-11 14:18 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 11/12] nbd: Avoid deadlock in client connecting to same-process server Eric Blake
2025-11-11 14:20 ` Daniel P. Berrangé
2025-11-08 22:59 ` [PATCH v2 12/12] iotests: Add coverage of recent NBD qio deadlock fix Eric Blake
2025-11-10 16:19 ` Daniel P. Berrangé
2025-11-12 6:35 ` Vladimir Sementsov-Ogievskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRIMKry8h336cPup@redhat.com \
--to=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).