On 08/03/12 11:56, Alex Jia wrote:
On 08/03/2012 05:27 PM, Peter Krempa wrote:
Commit ba226d334acbc49f6751b430e0c4e00f69eef6bf tried to fix crash of
the daemon when a domain with a open console was destroyed. The fix was
wrong as it tried to remove the callback also when the stream was
aborted, where at that point the fd stream driver was already freed and
removed.
This patch clears the callbacks with a helper right before the hash is
freed, so that it doesn't interfere with other codepaths where the
stream object is freed.
I just tried your patch, it still exists use after free issue:
==21843== 1 errors in context 1 of 11:
==21843== Invalid read of size 4
==21843== at 0x4D2B79D: virStreamFree (libvirt.c:15345)
==21843== by 0x40B2E1: vshRunConsole (console.c:404)
==21843== by 0x4226CE: cmdRunConsole (virsh-domain.c:1658)
==21843== by 0x422AE3: cmdConsole (virsh-domain.c:1693)
==21843== by 0x42CBC4: vshCommandRun (virsh.c:1867)
==21843== by 0x42F872: main (virsh.c:3269)
==21843== Address 0x53c0250 is 0 bytes inside a block of size 40 free'd
==21843== at 0x4A0595D: free (vg_replace_malloc.c:366)
==21843== by 0x4C916C8: virFree (memory.c:309)
==21843== by 0x4D111BB: virUnrefStream (datatypes.c:1072)
==21843== by 0x4D2B7BD: virStreamFree (libvirt.c:15353)
==21843== by 0x40A984: virConsoleShutdown (console.c:103)
==21843== by 0x4C8912E: virEventPollRunOnce (event_poll.c:485)
==21843== by 0x4C87CA4: virEventRunDefaultImpl (event.c:247)
==21843== by 0x42C8A1: vshEventLoop (virsh.c:2406)
==21843== by 0x4C9C065: virThreadHelper (threads-pthread.c:161)
==21843== by 0x39CF8077F0: start_thread (pthread_create.c:301)
==21843== by 0x39CF0E570C: clone (clone.S:115)
We are indeed accessing already freed objects, but this problem is in
virsh and not in the daemon where the patch is fixing code.
PEter
Regards,
Alex
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
