Re: [libvirt] [PATCH] conf: Remove console stream callback only when freeing console helper

On 08/03/2012 05:27 PM, Peter Krempa wrote: > Commit ba226d334acbc49f6751b430e0c4e00f69eef6bf tried to fix crash of > the daemon when a domain with a open console was destroyed. The fix was > wrong as it tried to remove the callback also when the stream was > aborted, where at that point the fd stream driver was already freed and > removed. > > This patch clears the callbacks with a helper right before the hash is > freed, so that it doesn't interfere with other codepaths where the > stream object is freed. I just tried your patch, it still exists use after free issue: ==21843== 1 errors in context 1 of 11: ==21843== Invalid read of size 4 ==21843== at 0x4D2B79D: virStreamFree (libvirt.c:15345) ==21843== by 0x40B2E1: vshRunConsole (console.c:404) ==21843== by 0x4226CE: cmdRunConsole (virsh-domain.c:1658) ==21843== by 0x422AE3: cmdConsole (virsh-domain.c:1693) ==21843== by 0x42CBC4: vshCommandRun (virsh.c:1867) ==21843== by 0x42F872: main (virsh.c:3269) ==21843== Address 0x53c0250 is 0 bytes inside a block of size 40 free'd ==21843== at 0x4A0595D: free (vg_replace_malloc.c:366) ==21843== by 0x4C916C8: virFree (memory.c:309) ==21843== by 0x4D111BB: virUnrefStream (datatypes.c:1072) ==21843== by 0x4D2B7BD: virStreamFree (libvirt.c:15353) ==21843== by 0x40A984: virConsoleShutdown (console.c:103) ==21843== by 0x4C8912E: virEventPollRunOnce (event_poll.c:485) ==21843== by 0x4C87CA4: virEventRunDefaultImpl (event.c:247) ==21843== by 0x42C8A1: vshEventLoop (virsh.c:2406) ==21843== by 0x4C9C065: virThreadHelper (threads-pthread.c:161) ==21843== by 0x39CF8077F0: start_thread (pthread_create.c:301) ==21843== by 0x39CF0E570C: clone (clone.S:115)

Regards, Alex