From nobody Fri May 17 23:56:09 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=virtuozzo.com ARC-Seal: i=1; a=rsa-sha256; t=1688454919; cv=none; d=zohomail.com; s=zohoarc; b=dSNMIhMdPI+xOjaj59Cm/nDdZYdIhK2XBQU8TqhiHY/TSNnPMwRPlb4fbRgSjgVbirZAeabpB5vXRLh2lT1F61cNPMry4EzLT1QzUR8m01vXqBJ0bJIfcOVmbQTjpRlqARyJsZd0JOEocyqF3m9pKItQw/lt/a9h79A8WmNLBLE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1688454919; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=kHkTUd5w8SX4bTV9pXp82LPhgk/8glamaKJ1DiHpuj0=; b=W9kssWdYj69v7uf5um3/60XRVEOCuRKv96O4c/YuXr9m4jzR5iWWMBpOo/L3aoaCE4JgbpEgxhO+nI5hpOM3csBiWk2QUD/p/kbSLkwIzqzNmKxba/HZxaHxH0f2vxGN+hqZZgJQV78kXhLCdnlk8z4JJ3MBvK54Cf7P+mZV4XA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1688454919945872.1365281511854; Tue, 4 Jul 2023 00:15:19 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-53-4-4u6DU2MXGRqMovoaYl8w-1; Tue, 04 Jul 2023 03:15:16 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 19A12802666; Tue, 4 Jul 2023 07:15:14 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 03D7840C2063; Tue, 4 Jul 2023 07:15:14 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C46D81946587; Tue, 4 Jul 2023 07:15:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 10B6B1946586 for ; Tue, 4 Jul 2023 07:15:12 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id D91F31121319; Tue, 4 Jul 2023 07:15:11 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast08.extmail.prod.ext.rdu2.redhat.com [10.11.55.24]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D2E431121314 for ; Tue, 4 Jul 2023 07:15:11 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B45EA38009FF for ; Tue, 4 Jul 2023 07:15:11 +0000 (UTC) Received: from relay.virtuozzo.com (relay.virtuozzo.com [130.117.225.111]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-27-S1LUJKk3PNu3W5diFaQMMg-1; Tue, 04 Jul 2023 03:15:09 -0400 Received: from ch-vpn.virtuozzo.com ([130.117.225.6] helo=dv..) by relay.virtuozzo.com with esmtp (Exim 4.96) (envelope-from ) id 1qGaEV-00405I-0t; Tue, 04 Jul 2023 09:14:59 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1688454918; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=kHkTUd5w8SX4bTV9pXp82LPhgk/8glamaKJ1DiHpuj0=; b=SXdufmSbZADnVl0JJZQqbuXAv9dQdmdi0avX6JFxpx3FagaFlA91KIKAT4rJjmG4BK5bXZ T6uV9ZG1DOTgjAmVtYAr65EwuzDh4woShXGJUT0QNudPPteGDog2P4JAg4FcaE8be2hfpr i6j+MegVwiQvjFP2JQ6cK16KnxKGhmM= X-MC-Unique: 4-4u6DU2MXGRqMovoaYl8w-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: S1LUJKk3PNu3W5diFaQMMg-1 From: Oleg Vasilev To: libvir-list@redhat.com Subject: [PATCH 1/2] net: add debug logs Date: Tue, 4 Jul 2023 13:10:21 +0600 Message-ID: <20230704071452.2948997-2-oleg.vasilev@virtuozzo.com> In-Reply-To: <20230704071452.2948997-1-oleg.vasilev@virtuozzo.com> References: <20230704071452.2948997-1-oleg.vasilev@virtuozzo.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Oleg Vasilev , Den Lunev , Nikolai Barybin Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: virtuozzo.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1688454921630100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Helped to debug next patch use-after-free. Signed-off-by: Oleg Vasilev Reviewed-by: Michal Privoznik --- src/remote/remote_daemon_stream.c | 4 ++-- src/rpc/virnetmessage.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/remote/remote_daemon_stream.c b/src/remote/remote_daemon_s= tream.c index 3b7519d2cb..38a2b6cceb 100644 --- a/src/remote/remote_daemon_stream.c +++ b/src/remote/remote_daemon_stream.c @@ -318,8 +318,8 @@ daemonStreamFilter(virNetServerClient *client, msg->header.serial !=3D stream->serial) goto cleanup; =20 - VIR_DEBUG("Incoming client=3D%p, rx=3D%p, serial=3D%u, proc=3D%d, stat= us=3D%d", - client, stream->rx, msg->header.proc, + VIR_DEBUG("Incoming client=3D%p, rx=3D%p, msg=3D%p, serial=3D%u, proc= =3D%d, status=3D%d", + client, stream->rx, msg, msg->header.proc, msg->header.serial, msg->header.status); =20 virNetMessageQueuePush(&stream->rx, msg); diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c index 50cc335fd6..af0f9cb30b 100644 --- a/src/rpc/virnetmessage.c +++ b/src/rpc/virnetmessage.c @@ -103,6 +103,8 @@ void virNetMessageQueuePush(virNetMessage **queue, virN= etMessage *msg) { virNetMessage *tmp =3D *queue; =20 + VIR_DEBUG("queue=3D%p msg=3D%p", queue, msg); + if (tmp) { while (tmp->next) tmp =3D tmp->next; @@ -117,10 +119,13 @@ virNetMessage *virNetMessageQueueServe(virNetMessage = **queue) { virNetMessage *tmp =3D *queue; =20 + VIR_DEBUG("queue serve start queue=3D%p *queue=3D%p", queue, *queue); + if (tmp) { *queue =3D g_steal_pointer(&tmp->next); } =20 + VIR_DEBUG("queue serve end queue=3D%p *queue=3D%p", queue, *queue); return tmp; } =20 --=20 2.41.0 From nobody Fri May 17 23:56:09 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=virtuozzo.com ARC-Seal: i=1; a=rsa-sha256; t=1688454923; cv=none; d=zohomail.com; s=zohoarc; b=Zde74aVKXV6V25n2off8jq7XF2VFNeJJedQwRdHE+yw5M4Ppc/9DYUz6CmoCCRAZVUeNa8dgzS56DIciDheVG4OwD9vWKpkwj7rkSZMQvq4NTmSoX+ZyosvEkBKWt6903/KNv9bez+nPkOMbjt60vRFt3YPgTpB2zOWWtocv7Tw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1688454923; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=CZPca0FIhwpbJxaYHTXbiqOQ9fpY/VmHwCef1W9Ptf4=; b=eDRNBYtb5ZCrHFEXBKLquzuNSM3lp7874eIVWVksbxcJHoEF2Slm5I9d8OGh9OQFaa4Ma7oc4ctTjOWYL3bpMGK93OCx8mFkYZ7S2XO7HAUF2aGcUrsEooAbmyd08zjQ5D3IMrgc1CxWum9/kr9ONEFcaQSmUnlvJs6IXlQc750= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=quarantine dis=quarantine) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1688454923417136.12250008796275; Tue, 4 Jul 2023 00:15:23 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-330-LOsHJSBDNxyY9K93kJbcOg-1; Tue, 04 Jul 2023 03:15:19 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3FD7A38008AF; Tue, 4 Jul 2023 07:15:16 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2B0D71121314; Tue, 4 Jul 2023 07:15:16 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 07BB11946587; Tue, 4 Jul 2023 07:15:16 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2D61E1946586 for ; Tue, 4 Jul 2023 07:15:14 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 017134CD0C9; Tue, 4 Jul 2023 07:15:14 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EE7DF492C13 for ; Tue, 4 Jul 2023 07:15:13 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-inbound-delivery-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D4677830F46 for ; Tue, 4 Jul 2023 07:15:13 +0000 (UTC) Received: from relay.virtuozzo.com (relay.virtuozzo.com [130.117.225.111]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-654-r6X9H-9XOEac87pEEUdrnw-1; Tue, 04 Jul 2023 03:15:10 -0400 Received: from ch-vpn.virtuozzo.com ([130.117.225.6] helo=dv..) by relay.virtuozzo.com with esmtp (Exim 4.96) (envelope-from ) id 1qGaEW-00405I-0X; Tue, 04 Jul 2023 09:15:00 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1688454922; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=CZPca0FIhwpbJxaYHTXbiqOQ9fpY/VmHwCef1W9Ptf4=; b=fEtmGCriwKm0PDjDBQ++MlP0LGhPpfAFJxprUdZUR9YZC9sZpRnOGORy4htpd7tqnpp/7A Qm1h8eWJ5pONhMSQAP6mkhRIslZZuydNXe8JQAtF2s+AFl08DncgOgB4TBa25AYBi/2zok 0mzZxW3DR8yeqxgPu+Zedk4Ji8aaaxY= X-MC-Unique: LOsHJSBDNxyY9K93kJbcOg-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: r6X9H-9XOEac87pEEUdrnw-1 From: Oleg Vasilev To: libvir-list@redhat.com Subject: [PATCH 2/2] remote: fix stream use-after-free Date: Tue, 4 Jul 2023 13:10:22 +0600 Message-ID: <20230704071452.2948997-3-oleg.vasilev@virtuozzo.com> In-Reply-To: <20230704071452.2948997-1-oleg.vasilev@virtuozzo.com> References: <20230704071452.2948997-1-oleg.vasilev@virtuozzo.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Oleg Vasilev , Den Lunev , Nikolai Barybin Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: virtuozzo.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1688454925254100003 Content-Type: text/plain; charset="utf-8"; x-default="true" Inside daemonStreamHandleWrite on stream completion (status=3DOK) we reuse msg object to send confirmation. Only after that, msg is poped from the queue and checked for continue. By that time, msg might've already been processed for the confirmation and freed. Signed-off-by: Oleg Vasilev Reviewed-by: Michal Privoznik --- src/remote/remote_daemon_stream.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/remote/remote_daemon_stream.c b/src/remote/remote_daemon_s= tream.c index 38a2b6cceb..345c40b48c 100644 --- a/src/remote/remote_daemon_stream.c +++ b/src/remote/remote_daemon_stream.c @@ -740,10 +740,11 @@ static int daemonStreamHandleWrite(virNetServerClient *client, daemonClientStream *stream) { + virNetMessageStatus status =3D VIR_NET_OK; VIR_DEBUG("client=3D%p, stream=3D%p", client, stream); =20 while (stream->rx && !stream->closed) { - virNetMessage *msg =3D stream->rx; + virNetMessage *msg =3D virNetMessageQueueServe(&stream->rx); int ret; =20 if (msg->header.type =3D=3D VIR_NET_STREAM_HOLE) { @@ -752,7 +753,8 @@ daemonStreamHandleWrite(virNetServerClient *client, * data. */ ret =3D daemonStreamHandleHole(client, stream, msg); } else if (msg->header.type =3D=3D VIR_NET_STREAM) { - switch (msg->header.status) { + status =3D msg->header.status; + switch (status) { case VIR_NET_OK: ret =3D daemonStreamHandleFinish(client, stream, msg); break; @@ -776,7 +778,6 @@ daemonStreamHandleWrite(virNetServerClient *client, if (ret > 0) break; /* still processing data from msg */ =20 - virNetMessageQueueServe(&stream->rx); if (ret < 0) { virNetMessageFree(msg); virNetServerClientImmediateClose(client); @@ -789,7 +790,7 @@ daemonStreamHandleWrite(virNetServerClient *client, * onto the wire, but this causes the client to reset * its active request count / throttling */ - if (msg->header.status =3D=3D VIR_NET_CONTINUE) { + if (status =3D=3D VIR_NET_CONTINUE) { virNetMessageClear(msg); msg->header.type =3D VIR_NET_REPLY; if (virNetServerClientSendMessage(client, msg) < 0) { --=20 2.41.0