From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Markus Armbruster" <armbru@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
devel@lists.libvirt.org, qemu-rust@nongnu.org,
"Dr. David Alan Gilbert" <dave@treblig.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Christian Schoenebeck" <qemu_oss@crudebyte.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Manos Pitsidianakis" <manos.pitsidianakis@linaro.org>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Pierrick Bouvier" <pierrick.bouvier@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Stefan Weil" <sw@weilnetz.de>
Subject: [PULL 03/27] io: fix cleanup for TLS I/O source data on cancellation
Date: Thu, 5 Mar 2026 17:47:19 +0000 [thread overview]
Message-ID: <20260305174743.3084606-4-berrange@redhat.com> (raw)
In-Reply-To: <20260305174743.3084606-1-berrange@redhat.com>
The TLS code will create a GSource for tracking completion of the
handshake process, passing a QIOChannelTLSData struct that contains
various data items. The data struct is freed by the callback when
it completes, which means when a source is cancelled, nothing is
free'ing the data struct or its contents.
Switch to provide a data free callback to the GSource, which ensures
the QIOChannelTLSData struct is always freed even when the main event
callback never fires.
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/3114
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
io/channel-tls.c | 68 ++++++++++++++++++++++++++++++------------------
1 file changed, 43 insertions(+), 25 deletions(-)
diff --git a/io/channel-tls.c b/io/channel-tls.c
index 07274c12df..940fc3c6d1 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -153,13 +153,32 @@ struct QIOChannelTLSData {
};
typedef struct QIOChannelTLSData QIOChannelTLSData;
+static void qio_channel_tls_io_data_free(gpointer user_data)
+{
+ QIOChannelTLSData *data = user_data;
+ /*
+ * Usually 'task' will be NULL since the GSource
+ * callback will either complete the task or pass
+ * it on to a new GSource. We'll see a non-NULL
+ * task here only if the GSource was released before
+ * its callback triggers
+ */
+ if (data->task) {
+ qio_task_free(data->task);
+ }
+ if (data->context) {
+ g_main_context_unref(data->context);
+ }
+ g_free(data);
+}
+
static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
GIOCondition condition,
gpointer user_data);
-static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
- QIOTask *task,
- GMainContext *context)
+static gboolean qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+ QIOTask *task,
+ GMainContext *context)
{
Error *err = NULL;
int status;
@@ -170,8 +189,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
trace_qio_channel_tls_handshake_fail(ioc);
qio_task_set_error(task, err);
qio_task_complete(task);
- qio_task_free(task);
- return;
+ return TRUE;
}
if (status == QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
@@ -184,7 +202,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
trace_qio_channel_tls_credentials_allow(ioc);
}
qio_task_complete(task);
- qio_task_free(task);
+ return TRUE;
} else {
GIOCondition condition;
QIOChannelTLSData *data = g_new0(typeof(*data), 1);
@@ -208,8 +226,9 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
condition,
qio_channel_tls_handshake_io,
data,
- NULL,
+ qio_channel_tls_io_data_free,
context);
+ return FALSE;
}
}
@@ -225,11 +244,9 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
qio_task_get_source(task));
tioc->hs_ioc_tag = 0;
- g_free(data);
- qio_channel_tls_handshake_task(tioc, task, context);
-
- if (context) {
- g_main_context_unref(context);
+ if (!qio_channel_tls_handshake_task(tioc, task, context)) {
+ /* task is kept by new GSource so must not be released yet */
+ data->task = NULL;
}
return FALSE;
@@ -252,14 +269,16 @@ void qio_channel_tls_handshake(QIOChannelTLS *ioc,
func, opaque, destroy);
trace_qio_channel_tls_handshake_start(ioc);
- qio_channel_tls_handshake_task(ioc, task, context);
+ if (qio_channel_tls_handshake_task(ioc, task, context)) {
+ qio_task_free(task);
+ }
}
static gboolean qio_channel_tls_bye_io(QIOChannel *ioc, GIOCondition condition,
gpointer user_data);
-static void qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
- GMainContext *context)
+static gboolean qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
+ GMainContext *context)
{
GIOCondition condition;
QIOChannelTLSData *data;
@@ -272,14 +291,12 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
trace_qio_channel_tls_bye_fail(ioc);
qio_task_set_error(task, err);
qio_task_complete(task);
- qio_task_free(task);
- return;
+ return TRUE;
}
if (status == QCRYPTO_TLS_BYE_COMPLETE) {
qio_task_complete(task);
- qio_task_free(task);
- return;
+ return TRUE;
}
data = g_new0(typeof(*data), 1);
@@ -299,7 +316,10 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
trace_qio_channel_tls_bye_pending(ioc, status);
ioc->bye_ioc_tag = qio_channel_add_watch_full(ioc->master, condition,
qio_channel_tls_bye_io,
- data, NULL, context);
+ data,
+ qio_channel_tls_io_data_free,
+ context);
+ return FALSE;
}
@@ -312,11 +332,9 @@ static gboolean qio_channel_tls_bye_io(QIOChannel *ioc, GIOCondition condition,
QIOChannelTLS *tioc = QIO_CHANNEL_TLS(qio_task_get_source(task));
tioc->bye_ioc_tag = 0;
- g_free(data);
- qio_channel_tls_bye_task(tioc, task, context);
-
- if (context) {
- g_main_context_unref(context);
+ if (!qio_channel_tls_bye_task(tioc, task, context)) {
+ /* task is kept by new GSource so must not be released yet */
+ data->task = NULL;
}
return FALSE;
--
2.53.0
next prev parent reply other threads:[~2026-03-05 17:51 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 17:47 [PULL v2 00/27] Misc patches queue Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 01/27] scripts: detect another GPL license boilerplate variant Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 02/27] io: separate freeing of tasks from marking them as complete Daniel P. Berrangé
2026-03-05 17:47 ` Daniel P. Berrangé [this message]
2026-03-05 17:47 ` [PULL 04/27] io: fix cleanup for websock I/O source data on cancellation Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 05/27] docs: simplify DiamondRapids CPU docs Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 06/27] qemu-options: remove extraneous [] around arg values Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 07/27] include: define constant for early constructor priority Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 08/27] monitor: initialize global data from a constructor Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 09/27] system: unconditionally enable thread naming Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 10/27] util: fix race setting thread name on Win32 Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 11/27] util: expose qemu_thread_set_name Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 12/27] audio: make jackaudio use qemu_thread_set_name Daniel P. Berrangé
2026-03-07 11:37 ` Philippe Mathieu-Daudé
2026-03-05 17:47 ` [PULL 13/27] util: set the name for the 'main' thread on Windows Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 14/27] util: add API to fetch the current thread name Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 15/27] util: introduce some API docs for logging APIs Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 16/27] util: avoid repeated prefix on incremental qemu_log calls Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 17/27] util/log: add missing error reporting in qemu_log_trylock_with_err Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 18/27] ui: add proper error reporting for password changes Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 19/27] ui: remove redundant use of error_printf_unless_qmp() Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 20/27] monitor: remove redundant error_[v]printf_unless_qmp Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 21/27] monitor: refactor error_vprintf() Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 22/27] monitor: move error_vprintf back to error-report.c Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 23/27] util: fix interleaving of error & trace output Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 24/27] util: don't skip error prefixes when QMP is active Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 25/27] util: fix interleaving of error prefixes Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 26/27] scripts/checkpatch: Fix MAINTAINERS update warning with --terse Daniel P. Berrangé
2026-03-05 17:47 ` [PULL 27/27] util/oslib-posix: increase memprealloc thread count to 32 Daniel P. Berrangé
2026-03-06 9:49 ` [PULL v2 00/27] Misc patches queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260305174743.3084606-4-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dave@treblig.org \
--cc=devel@lists.libvirt.org \
--cc=eduardo@habkost.net \
--cc=kraxel@redhat.com \
--cc=manos.pitsidianakis@linaro.org \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-rust@nongnu.org \
--cc=qemu_oss@crudebyte.com \
--cc=richard.henderson@linaro.org \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox