[libvirt] [PATCH 2/2] Lock the whole virConnect Object when disposing to avoid the thread race

Osier Yang jyang at redhat.com
Wed Dec 5 14:48:44 UTC 2012 

https://bugzilla.redhat.com/show_bug.cgi?id=866524

Since the virConnect object is not locked wholely when doing
virConenctDispose, a thread can get the lock and thus might
cause the race.

Detected by valgrind:

==23687== Invalid read of size 4
==23687==    at 0x38BAA091EC: pthread_mutex_lock (pthread_mutex_lock.c:61)
==23687==    by 0x3FBA919E36: remoteClientCloseFunc (remote_driver.c:337)
==23687==    by 0x3FBA936BF2: virNetClientCloseLocked (virnetclient.c:688)
==23687==    by 0x3FBA9390D8: virNetClientIncomingEvent (virnetclient.c:1859)
==23687==    by 0x3FBA851AAE: virEventPollRunOnce (event_poll.c:485)
==23687==    by 0x3FBA850846: virEventRunDefaultImpl (event.c:247)
==23687==    by 0x40CD61: vshEventLoop (virsh.c:2128)
==23687==    by 0x3FBA8626F8: virThreadHelper (threads-pthread.c:161)
==23687==    by 0x38BAA077F0: start_thread (pthread_create.c:301)
==23687==    by 0x33F68E570C: clone (clone.S:115)
==23687==  Address 0x4ca94e0 is 144 bytes inside a block of size 312 free'd
==23687==    at 0x4A0595D: free (vg_replace_malloc.c:366)
==23687==    by 0x3FBA8588B8: virFree (memory.c:309)
==23687==    by 0x3FBA86AAFC: virObjectUnref (virobject.c:145)
==23687==    by 0x3FBA8EA767: virConnectClose (libvirt.c:1458)
==23687==    by 0x40C8B8: vshDeinit (virsh.c:2584)
==23687==    by 0x41071E: main (virsh.c:3022)

The above race is caused by the eventLoop thread tries to handle
the net client event by calling the callback set by:
    virNetClientSetCloseCallback(priv->client,
                                 remoteClientCloseFunc,
                                 conn, NULL);

I.E. remoteClientCloseFunc, which lock/unlock the virConnect object.

This patch is to fix it by locking the whole virConnect object when
disposing it.
---
 src/datatypes.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/datatypes.c b/src/datatypes.c
index c0ed3a2..8648ecb 100644
--- a/src/datatypes.c
+++ b/src/datatypes.c
@@ -128,6 +128,8 @@ virConnectDispose(void *obj)
 {
     virConnectPtr conn = obj;
 
+    virMutexLock(&conn->lock);
+
     if (conn->networkDriver)
         conn->networkDriver->close(conn);
     if (conn->interfaceDriver)
@@ -143,8 +145,6 @@ virConnectDispose(void *obj)
     if (conn->driver)
         conn->driver->close(conn);
 
-    virMutexLock(&conn->lock);
-
     if (conn->closeFreeCallback)
         conn->closeFreeCallback(conn->closeOpaque);
 
-- 
1.7.7.6

More information about the libvir-list mailing list