Re: [libvirt] [PATCH] command: avoid double close bugs

At 05/30/2012 09:20 AM, Eric Blake Wrote: > KAMEZAWA Hiroyuki reported a nasty double-free bug when virCommand > is used to convert a string into input to a child command. The > problem is that the poll() loop of virCommandProcessIO would close() > the write end of the pipe in order to let the child see EOF, then > the caller virCommandRun() would also close the same fd number, with > the second close possibly nuking an fd opened by some other thread > in the meantime. This in turn can have all sorts of bad effects. > > This is based on his first attempt at a patch, at > https://bugzilla.redhat.com/show_bug.cgi?id=823716 close fd more twice is the cause of this bug. But there are some other codes that have the same problem. I am searching all such codes recent days.

> + if (inoff == inlen && VIR_CLOSE(*inpipe) < 0) > + VIR_DEBUG("ignoring failed close on fd %d", infd); > + infd = -1; if inoff != inlen, we should not set infd to -1.