<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
If there is a process with a client which registers event callbacks,<br>
and it calls libvirt's API which uses the same virConnectPtr in that<br>
callback function. When this process exit abnormally lead to client<br>
disconnect, there is a possibility that the main thread is refer to<br>
virServerClient just after the virServerClient been freed by job<br>
thread of libvirtd.<br>
<br>
Following is the backtrace:<br>
#0 0x00007fda223d66d8 in virClassIsDerivedFrom
(klass=0xdeadbeef,parent=0x7fda24c81b40)<br>
#1 0x00007fda223d6a1e in virObjectIsClass
(anyobj=anyobj@entry=0x7fd9e575b400,klass=<optimized out="">)<br>
#2 0x00007fda223d6a44 in virObjectLock
(anyobj=anyobj@entry=0x7fd9e575b400)<br>
#3 0x00007fda22507f71 in virNetServerClientSendMessage
(client=client@entry=0x7fd9e575b400, msg=msg@entry=0x7fd9ec30de90)<br>
#4 0x00007fda230d714d in remoteDispatchObjectEventSend
(client=0x7fd9e575b400, program=0x7fda24c844e0,
procnr=procnr@entry=348, proc=0x7fda2310e5e0 <xdr_remote_domain_event_callback_tunable_msg>,
data=data@entry=0x7ffc3857fdb0)<br>
#5 0x00007fda230dd71b in remoteRelayDomainEventTunable (conn=<optimized
out="">, dom=0x7fda27cd7660, params=0x7fda27f3aae0, nparams=1,
opaque=0x7fd9e6c99e00)<br>
#6 0x00007fda224484cb in virDomainEventDispatchDefaultFunc
(conn=0x7fda27cd0120, event=0x7fda2736ea00, cb=0x7fda230dd610
<remoterelaydomaineventtunable>, cbopaque=0x7fd9e6c99e00)<br>
#7 0x00007fda22446871 in
virObjectEventStateDispatchCallbacks (callbacks=<optimized
out="">, callbacks=<optimized out="">,
event=0x7fda2736ea00, state=0x7fda24ca3960)<br>
#8 virObjectEventStateQueueDispatch
(callbacks=0x7fda24c65800, queue=0x7ffc3857fe90,
state=0x7fda24ca3960)<br>
#9 virObjectEventStateFlush (state=0x7fda24ca3960)<br>
#10 virObjectEventTimer (timer=<optimized out="">,
opaque=0x7fda24ca3960)<br>
#11 0x00007fda223ae8b9 in virEventPollDispatchTimeouts
()<br>
#12 virEventPollRunOnce ()<br>
#13 0x00007fda223ad1d2 in virEventRunDefaultImpl ()<br>
#14 0x00007fda225046cd in virNetDaemonRun
(dmn=dmn@entry=0x7fda24c775c0)<br>
#15 0x00007fda230d6351 in main (argc=<optimized out="">,
argv=<optimized out="">)<br>
<br>
(gdb) p *(virNetServerClientPtr)0x7fd9e575b400<br>
$2 = {parent = {parent = {u = {dummy_align1 =
140573849338048, dummy_align2 = 0x7fd9e65ac0c0, s
= {magic = 3864707264, refs = 32729}}, klass =
0x7fda00000078}, lock = {lock = {__data = {__lock
= 0,<br>
__count = 0, __owner = 0, __nusers = 0, __kind =
0, __spins = 0, __list = {__prev = 0x0, __next =
0x0}}, __size = '\000' <repeats 39="" times="">,
__align = 0}}}, wantClose = false,<br>
delayedClose = false, sock = 0x0, auth = 0,
readonly = false, tlsCtxt = 0x0, tls = 0x0, sasl
= 0x0, sockTimer = 0, identity = 0x0, nrequests
= 0, nrequests_max = 0, rx = 0x0, tx = 0x0,
filters = 0x0,<br>
nextFilterID = 0, dispatchFunc = 0x0,
dispatchOpaque = 0x0, privateData = 0x0,
privateDataFreeFunc = 0x0,
privateDataPreExecRestart = 0x0,
privateDataCloseFunc = 0x0, keepalive = 0x0}<br>
---<br>
src/rpc/virnetserverclient.c | 6 ++++++<br>
1 file changed, 6 insertions(+)<br>
<br>
diff --git a/src/rpc/virnetserverclient.c
b/src/rpc/virnetserverclient.c<br>
index 81da82c..562516f 100644<br>
--- a/src/rpc/virnetserverclient.c<br>
+++ b/src/rpc/virnetserverclient.c<br>
@@ -1021,6 +1021,12 @@ void
virNetServerClientClose(virNetServerClientPtr
client)<br>
client->sock = NULL;<br>
}<br>
<br>
+ if (client->privateData &&<br>
+ client->privateDataFreeFunc) {<br>
+
client->privateDataFreeFunc(client->privateData);<br>
+ client->privateData = NULL;<br>
+ }<br>
+<br>
virObjectUnlock(client);<br>
}<br>
<br>
-- <br>
2.8.3<br>
<br>
</repeats></optimized></optimized></optimized></optimized></optimized></remoterelaydomaineventtunable></optimized></xdr_remote_domain_event_callback_tunable_msg></optimized>
</body>
</html>