On 04/18/2017 03:55 AM, Yi Wang wrote:
ka maybe have been freeed in virObjectUnref, application using
virKeepAliveTimer will segfault when unlock ka. We should keep
ka's refs positive before using it.
Signed-off-by: Yi Wang <wang.yi59@xxxxxxxxxx>
---
src/rpc/virkeepalive.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/rpc/virkeepalive.c b/src/rpc/virkeepalive.c
index c9faf88..4f666fd 100644
--- a/src/rpc/virkeepalive.c
+++ b/src/rpc/virkeepalive.c
@@ -160,17 +160,17 @@ virKeepAliveTimer(int timer ATTRIBUTE_UNUSED, void *opaque)
bool dead;
void *client;
+ virObjectRef(ka);
virObjectLock(ka);
client = ka->client;
dead = virKeepAliveTimerInternal(ka, &msg);
+ virObjectUnlock(ka);
+
if (!dead && !msg)
goto cleanup;
- virObjectRef(ka);
- virObjectUnlock(ka);
-
if (dead) {
ka->deadCB(client);
} else if (ka->sendCB(client, msg) < 0) {
@@ -178,11 +178,8 @@ virKeepAliveTimer(int timer ATTRIBUTE_UNUSED, void *opaque)
virNetMessageFree(msg);
}
- virObjectLock(ka);
- virObjectUnref(ka);
-
cleanup:
- virObjectUnlock(ka);
+ virObjectUnref(ka);
}
Something doesn't feel right here. Firstly, there should always be at
least one reference for this callback to use obtained in
virKeepAliveStart(). So we should be able to do virObjectLock(ka) safely
here. If we are not, something else is messing up the ref counting.
Secondly, it shouldn't matter if we do ref() followed by lock() or the
other way around. The first seems racy; well decreasing chance to hit a
race but nor resolving it.
Do you have a reproducer or something? backtrace perhaps? We can
investigate further.
Michal
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
