[libvirt] [libvirt-glib] event: remove timeout and handle from arrays

Otherwise, it will crash next time it goes find(). ==9856== Invalid read of size 4 ==9856== at 0x84E4888: gvir_event_timeout_find (libvirt-glib-event.c:293) ==9856== by 0x84E48E4: gvir_event_timeout_update (libvirt-glib-event.c:308) ==9856== by 0x31AB04BBDB: virEventUpdateTimeout (event.c:122) ==9856== by 0x31AB148758: virNetClientStreamEventTimerUpdate (virnetclientstream.c:81) ==9856== by 0x31AB14991C: virNetClientStreamEventAddCallback (virnetclientstream.c:471) ==9856== by 0x31AB12944F: remoteStreamEventAddCallback (remote_driver.c:3484) ==9856== by 0x31AB108EAC: virStreamEventAddCallback (libvirt.c:14036) ... ==9856== Address 0x143be760 is 0 bytes inside a block of size 40 free'd ==9856== at 0x4A06928: free (vg_replace_malloc.c:427) ==9856== by 0x84E4AD6: gvir_event_timeout_remove (libvirt-glib-event.c:361) ==9856== by 0x31AB04BC2C: virEventRemoveTimeout (event.c:136) ==9856== by 0x31AB149B24: virNetClientStreamEventRemoveCallback (virnetclientstream.c:521) ==9856== by 0x31AB129566: remoteStreamEventRemoveCallback (remote_driver.c:3525) ==9856== by 0x31AB10918F: virStreamEventRemoveCallback (libvirt.c:14114) ... --- libvirt-glib/libvirt-glib-event.c | 83 +++++++++++++++++++++++------------- 1 files changed, 53 insertions(+), 30 deletions(-) diff --git a/libvirt-glib/libvirt-glib-event.c b/libvirt-glib/libvirt-glib-event.c index 8b1bddf..303bec7 100644 --- a/libvirt-glib/libvirt-glib-event.c +++ b/libvirt-glib/libvirt-glib-event.c @@ -61,12 +61,10 @@ struct gvir_event_timeout GMutex *eventlock = NULL; static int nextwatch = 1; -static unsigned int nhandles = 0; -static struct gvir_event_handle **handles = NULL; +static GPtrArray *handles; static int nexttimer = 1; -static unsigned int ntimeouts = 0; -static struct gvir_event_timeout **timeouts = NULL; +static GPtrArray *timeouts; static gboolean gvir_event_handle_dispatch(GIOChannel *source G_GNUC_UNUSED, @@ -106,9 +104,7 @@ gvir_event_handle_add(int fd, g_mutex_lock(eventlock); - handles = g_realloc(handles, sizeof(*handles)*(nhandles+1)); - data = g_malloc(sizeof(*data)); - memset(data, 0, sizeof(*data)); + data = g_new0(struct gvir_event_handle, 1); if (events & VIR_EVENT_HANDLE_READABLE) cond |= G_IO_IN; @@ -130,7 +126,7 @@ gvir_event_handle_add(int fd, gvir_event_handle_dispatch, data); - handles[nhandles++] = data; + g_ptr_array_add(handles, data); ret = data->watch; @@ -140,12 +136,24 @@ gvir_event_handle_add(int fd, } static struct gvir_event_handle * -gvir_event_handle_find(int watch) +gvir_event_handle_find(int watch, guint *idx) { - unsigned int i; - for (i = 0 ; i < nhandles ; i++) - if (handles[i]->watch == watch) - return handles[i]; + guint i; + + for (i = 0 ; i < handles->len ; i++) { + struct gvir_event_handle *h = g_ptr_array_index(handles, i); + + if (h == NULL) { + g_warn_if_reached (); + continue; + } + + if (h->watch == watch) { + if (idx != NULL) + *idx = i; + return h; + } + } return NULL; } @@ -158,7 +166,7 @@ gvir_event_handle_update(int watch, g_mutex_lock(eventlock); - data = gvir_event_handle_find(watch); + data = gvir_event_handle_find(watch, NULL); if (!data) { DEBUG("Update for missing handle watch %d", watch); goto cleanup; @@ -202,7 +210,8 @@ _handle_remove(gpointer data) if (h->ff) (h->ff)(h->opaque); - free(h); + + g_ptr_array_remove_fast(handles, h); return FALSE; } @@ -212,10 +221,11 @@ gvir_event_handle_remove(int watch) { struct gvir_event_handle *data; int ret = -1; + guint idx; g_mutex_lock(eventlock); - data = gvir_event_handle_find(watch); + data = gvir_event_handle_find(watch, &idx); if (!data) { DEBUG("Remove of missing watch %d", watch); goto cleanup; @@ -259,10 +269,7 @@ gvir_event_timeout_add(int interval, g_mutex_lock(eventlock); - timeouts = g_realloc(timeouts, sizeof(*timeouts)*(ntimeouts+1)); - data = g_malloc(sizeof(*data)); - memset(data, 0, sizeof(*data)); - + data = g_new0(struct gvir_event_timeout, 1); data->timer = nexttimer++; data->interval = interval; data->cb = cb; @@ -273,7 +280,7 @@ gvir_event_timeout_add(int interval, gvir_event_timeout_dispatch, data); - timeouts[ntimeouts++] = data; + g_ptr_array_add(timeouts, data); DEBUG("Add timeout %p %d %p %p %d\n", data, interval, cb, opaque, data->timer); @@ -286,12 +293,26 @@ gvir_event_timeout_add(int interval, static struct gvir_event_timeout * -gvir_event_timeout_find(int timer) +gvir_event_timeout_find(int timer, guint *idx) { - unsigned int i; - for (i = 0 ; i < ntimeouts ; i++) - if (timeouts[i]->timer == timer) - return timeouts[i]; + guint i; + + g_return_val_if_fail(timeouts != NULL, NULL); + + for (i = 0 ; i < timeouts->len ; i++) { + struct gvir_event_timeout *t = g_ptr_array_index(timeouts, i); + + if (t == NULL) { + g_warn_if_reached (); + continue; + } + + if (t->timer == timer) { + if (idx != NULL) + *idx = i; + return t; + } + } return NULL; } @@ -305,7 +326,7 @@ gvir_event_timeout_update(int timer, g_mutex_lock(eventlock); - data = gvir_event_timeout_find(timer); + data = gvir_event_timeout_find(timer, NULL); if (!data) { DEBUG("Update of missing timer %d", timer); goto cleanup; @@ -337,11 +358,12 @@ static int gvir_event_timeout_remove(int timer) { struct gvir_event_timeout *data; + guint idx; int ret = -1; g_mutex_lock(eventlock); - data = gvir_event_timeout_find(timer); + data = gvir_event_timeout_find(timer, &idx); if (!data) { DEBUG("Remove of missing timer %d", timer); goto cleanup; @@ -358,8 +380,7 @@ gvir_event_timeout_remove(int timer) if (data->ff) (data->ff)(data->opaque); - free(data); - + g_ptr_array_remove_index_fast(timeouts, idx); ret = 0; cleanup: @@ -371,6 +392,8 @@ cleanup: static gpointer event_register_once(gpointer data G_GNUC_UNUSED) { eventlock = g_mutex_new(); + timeouts = g_ptr_array_new_with_free_func(g_free); + handles = g_ptr_array_new_with_free_func(g_free); virEventRegisterImpl(gvir_event_handle_add, gvir_event_handle_update, gvir_event_handle_remove, -- 1.7.6.2