When creating a timer/event handler reference counting is used. So it could
be possible (in theory) that libxlDomainObjPrivateFree is called with
reference counting >1. The problem is that libxlDomainObjPrivateFree leave
the object in an invalid state with ctx freed (but still having dandling
pointer). This can lead timer/event handler to core.
This patch destroy the object before disposing it so at timer/event object
is still valid.
Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>
---
src/libxl/libxl_driver.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index 935919b..1c8cfd7 100644
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -110,6 +110,8 @@ static int
libxlVmStart(libxlDriverPrivatePtr driver, virDomainObjPtr vm,
bool start_paused, int restore_fd);
+static void libxlDomainObjPrivateDispose(void *obj);
+
/* Function definitions */
static int
libxlDomainObjPrivateOnceInit(void)
@@ -117,7 +119,7 @@ libxlDomainObjPrivateOnceInit(void)
if (!(libxlDomainObjPrivateClass = virClassNew(virClassForObjectLockable(),
"libxlDomainObjPrivate",
sizeof(libxlDomainObjPrivate),
- NULL)))
+ libxlDomainObjPrivateDispose)))
return -1;
return 0;
@@ -418,14 +420,26 @@ libxlDomainObjPrivateAlloc(void)
}
static void
-libxlDomainObjPrivateFree(void *data)
+libxlDomainObjPrivateDispose(void *obj)
{
- libxlDomainObjPrivatePtr priv = data;
+ libxlDomainObjPrivatePtr priv = obj;
if (priv->deathW)
libxl_evdisable_domain_death(priv->ctx, priv->deathW);
libxl_ctx_free(priv->ctx);
+}
+
+static void
+libxlDomainObjPrivateFree(void *data)
+{
+ libxlDomainObjPrivatePtr priv = data;
+
+ if (priv->deathW) {
+ libxl_evdisable_domain_death(priv->ctx, priv->deathW);
+ priv->deathW = NULL;
+ }
+
virObjectUnref(priv);
}
--
1.7.10.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list