From nobody Mon Apr 29 17:30:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1613633045; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DXWulqwRWfhkqDlcNh5AnYvUTPnjaPe8pkaqne/gHMmreVZY8aXVJKkzwmJsiR2/1Xi1Gf61M8pGCcjHWH/v97yfztbYjPxmP0OJvdy6BBuZTQp0+EXSeKFRK81stX0mYK2B+1/XUxHIbaajNcGklFZSxxeerduYbCBln9YOur8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1613633045;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=tWfQnHCkd5e5zVn36LMclxPxDgoQ0LrA/uPZB4HOmZY=;
	b=amRUMzZU1IZHXVUWhCCg6+dinei42czCHBbP4kI7h+9pA76IEAwXgfbhzyWfELpEMs8vcOnT/rO1i7ze0cBr7kGPvvGHPyOOpbXUbRQs2f/9rdZ4MUnuUd6oOKbAXSPMCCcPFM7AZKr/tndBfjqtRVXDTYaOm7t/Vc6TUjpMKqc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1613633045417449.96303367046244;
 Wed, 17 Feb 2021 23:24:05 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-513-ZAfjHWmMN2KMQMUcx-pfQw-1; Thu, 18 Feb 2021 02:24:01 -0500
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 68D33108C303;
	Thu, 18 Feb 2021 07:23:54 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 41E7A5C3E4;
	Thu, 18 Feb 2021 07:23:51 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6F4BD4EE7F;
	Thu, 18 Feb 2021 07:23:46 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
	[10.11.54.6])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 11I7NhXk009937 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 18 Feb 2021 02:23:44 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id A99E5206291A; Thu, 18 Feb 2021 07:23:43 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id A45DE2062917
	for <libvir-list@redhat.com>; Thu, 18 Feb 2021 07:23:40 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[205.139.110.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8F64E8919BE
	for <libvir-list@redhat.com>; Thu, 18 Feb 2021 07:23:40 +0000 (UTC)
Received: from szxga05-in.huawei.com (szxga05-in.huawei.com
	[45.249.212.191]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-348-FjxmyCc1Mn2CVkkkxkZmGg-1; Thu, 18 Feb 2021 02:23:38 -0500
Received: from DGGEMS413-HUB.china.huawei.com (unknown [172.30.72.60])
	by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4Dh5Kh66Q5zjNh6
	for <libvir-list@redhat.com>; Thu, 18 Feb 2021 15:04:08 +0800 (CST)
Received: from localhost.localdomain (10.175.104.175) by
	DGGEMS413-HUB.china.huawei.com (10.3.19.213) with Microsoft SMTP Server
	id 14.3.498.0; Thu, 18 Feb 2021 15:05:29 +0800
X-MC-Unique: ZAfjHWmMN2KMQMUcx-pfQw-1
X-MC-Unique: FjxmyCc1Mn2CVkkkxkZmGg-1
From: Peng Liang <liangpeng10@huawei.com>
To: <libvir-list@redhat.com>
Subject: [PATCH] qemuMonitorUnregister: Fix use-after-free of mon->watch
Date: Thu, 18 Feb 2021 15:04:21 +0800
Message-ID: <20210218070421.220249-1-liangpeng10@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.104.175]
X-CFilter-Loop: Reflected
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Mimecast-Bulk-Signature: yes
X-Mimecast-Spam-Signature: bulk
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 11I7NhXk009937
X-loop: libvir-list@redhat.com
Cc: liangpeng10@huawei.com, xiexiangyou@huawei.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

qemuMonitorUnregister will be called in multiple threads (e.g. threads
in rpc worker pool and the vm event thread).  In some cases, it isn't
protected by the monitor lock, which may lead to call g_source_unref
more than one time and a use-after-free problem eventually.

To avoid similar problem in the future, use
g_atomic_pointer_compare_and_exchange instead of adding a lock in the
missing cases.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
---
 src/qemu/qemu_monitor.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 0476d606f553..f4d05cd951c2 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -853,10 +853,11 @@ qemuMonitorRegister(qemuMonitorPtr mon)
 void
 qemuMonitorUnregister(qemuMonitorPtr mon)
 {
-    if (mon->watch) {
-        g_source_destroy(mon->watch);
-        g_source_unref(mon->watch);
-        mon->watch =3D NULL;
+    GSource *watch =3D mon->watch;
+
+    if (watch && g_atomic_pointer_compare_and_exchange(&mon->watch, watch,=
 NULL)) {
+        g_source_destroy(watch);
+        g_source_unref(watch);
     }
 }
=20
--=20
2.29.2