On Sat, Nov 08, 2025 at 04:59:24PM -0600, Eric Blake wrote: > When changing the callback registered with QIONetListener, the code > was calling notify on the old opaque data prior to actually removing > the old GSource objects still pointing to that data. Similarly, > during finalize, it called notify before tearing down the various > GSource objects tied to the data. > > In practice, a grep of the QEMU code base found that every existing > client of QIONetListener passes in a NULL notifier (the opaque data, > if non-NULL, outlives the NetListener and so does not need cleanup > when the NetListener is torn down), so this patch has no impact. And > even if a caller had passed in a reference-counted object with a > notifier of object_unref but kept its own reference on the data, then > the early notify would merely reduce a refcount from (say) 2 to 1, but > not free the object. However, it is a latent bug waiting to bite any > future caller that passes in data where the notifier actually frees > the object, because the GSource could then trigger a use-after-free if > it loses the race on a last-minute client connection resulting in the > data being passed to one final use of the async callback. > > Better is to delay the notify call until after all GSource that have > been given a copy of the opaque data are torn down. > > CC: [email protected] > Fixes: 530473924d "io: introduce a network socket listener API", v2.12.0 > Signed-off-by: Eric Blake <[email protected]> > > --- > v2: new patch, split out from 4/8 to leave that one as just pure > refactoring, and call attention to this being a latent bug fix > --- > io/net-listener.c | 16 ++++++++-------- > 1 file changed, 8 insertions(+), 8 deletions(-)
Reviewed-by: Daniel P. Berrangé <[email protected]> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
