Sophie: libvirt-0.8.2-29.el5 src

libvirt-0.8.2-29.el5.src.rpm

From 22881560b916d474c9c7320285642597c85bd3cb Mon Sep 17 00:00:00 2001
Message-Id: <22881560b916d474c9c7320285642597c85bd3cb.1300377193.git.jdenemar@redhat.com>
From: Eric Blake <eblake@redhat.com>
Date: Fri, 21 Jan 2011 16:38:48 -0700
Subject: [PATCH] event: fix event-handling data race

5.7: https://bugzilla.redhat.com/show_bug.cgi?id=671569

This bug has been present since before the time that commit
f8a519 (Dec 2008) tried to make the dispatch loop re-entrant.

Dereferencing eventLoop.handles outside the lock risks crashing, since
any other thread could have reallocated the array in the meantime.
It's a narrow race window, however, and one that would have most
likely resulted in passing bogus data to the callback rather than
actually causing a segv, which is probably why it has gone undetected
this long.

* daemon/event.c (virEventDispatchHandles): Cache data while
inside the lock, as the array might be reallocated once outside.
(cherry picked from commit a11bd2e6cc267febc3de9047a1aa317a2f52d81d)

Conflicts:

	daemon/event.c
---
 daemon/event.c |    9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/daemon/event.c b/daemon/event.c
index 6971409..3c1c18f 100644
--- a/daemon/event.c
+++ b/daemon/event.c
@@ -1,7 +1,7 @@
 /*
  * event.c: event loop for monitoring file handles
  *
- * Copyright (C) 2007, 2010 Red Hat, Inc.
+ * Copyright (C) 2007, 2010-2011 Red Hat, Inc.
  * Copyright (C) 2007 Daniel P. Berrange
  *
  * This library is free software; you can redistribute it and/or
@@ -470,14 +470,13 @@ static int virEventDispatchHandles(int nfds, struct pollfd *fds) {
 
         if (fds[n].revents) {
             virEventHandleCallback cb = eventLoop.handles[i].cb;
+            int watch = eventLoop.handles[i].watch;
             void *opaque = eventLoop.handles[i].opaque;
             int hEvents = virPollEventToEventHandleType(fds[n].revents);
             EVENT_DEBUG("Dispatch n=%d f=%d w=%d e=%d %p", i,
-                        fds[n].fd, eventLoop.handles[i].watch,
-                        fds[n].revents, eventLoop.handles[i].opaque);
+                        fds[n].fd, watch, fds[n].revents, opaque);
             virEventUnlock();
-            (cb)(eventLoop.handles[i].watch,
-                 fds[n].fd, hEvents, opaque);
+            (cb)(watch, fds[n].fd, hEvents, opaque);
             virEventLock();
         }
     }
-- 
1.7.4.1