All of lore.kernel.org
 help / color / mirror / Atom feed
From: Zhang Chen <chen.zhang@intel.com>
To: Jason Wang <jasowang@redhat.com>, Li Zhijian <lizhijian@cn.fujitsu.com>
Cc: Zhang Chen <chen.zhang@intel.com>,
	qemu-dev <qemu-devel@nongnu.org>,
	Like Xu <like.xu@linux.intel.com>
Subject: [PATCH V2 2/4] net/colo: Fix a "double free" crash to clear the conn_list
Date: Fri,  1 Apr 2022 11:47:00 +0800	[thread overview]
Message-ID: <20220401034702.687057-3-chen.zhang@intel.com> (raw)
In-Reply-To: <20220401034702.687057-1-chen.zhang@intel.com>

We notice the QEMU may crash when the guest has too many
incoming network connections with the following log:

15197@1593578622.668573:colo_proxy_main : colo proxy connection hashtable full, clear it
free(): invalid pointer
[1]    15195 abort (core dumped)  qemu-system-x86_64 ....

This is because we create the s->connection_track_table with
g_hash_table_new_full() which is defined as:

GHashTable * g_hash_table_new_full (GHashFunc hash_func,
                       GEqualFunc key_equal_func,
                       GDestroyNotify key_destroy_func,
                       GDestroyNotify value_destroy_func);

The fourth parameter connection_destroy() will be called to free the
memory allocated for all 'Connection' values in the hashtable when
we call g_hash_table_remove_all() in the connection_hashtable_reset().

But both connection_track_table and conn_list reference to the same
conn instance. It will trigger double free in conn_list clear. So this
patch remove free action on hash table side to avoid double free the
conn.

Signed-off-by: Like Xu <like.xu@linux.intel.com>
Signed-off-by: Zhang Chen <chen.zhang@intel.com>
---
 net/colo-compare.c    | 2 +-
 net/filter-rewriter.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 62554b5b3c..ab054cfd21 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -1324,7 +1324,7 @@ static void colo_compare_complete(UserCreatable *uc, Error **errp)
     s->connection_track_table = g_hash_table_new_full(connection_key_hash,
                                                       connection_key_equal,
                                                       g_free,
-                                                      connection_destroy);
+                                                      NULL);
 
     colo_compare_iothread(s);
 
diff --git a/net/filter-rewriter.c b/net/filter-rewriter.c
index bf05023dc3..c18c4c2019 100644
--- a/net/filter-rewriter.c
+++ b/net/filter-rewriter.c
@@ -383,7 +383,7 @@ static void colo_rewriter_setup(NetFilterState *nf, Error **errp)
     s->connection_track_table = g_hash_table_new_full(connection_key_hash,
                                                       connection_key_equal,
                                                       g_free,
-                                                      connection_destroy);
+                                                      NULL);
     s->incoming_queue = qemu_new_net_queue(qemu_netfilter_pass_to_next, nf);
 }
 
-- 
2.25.1



  parent reply	other threads:[~2022-04-01  4:02 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-01  3:46 [PATCH V2 0/4] COLO net and runstate bugfix/optimization Zhang Chen
2022-04-01  3:46 ` [PATCH V2 1/4] softmmu/runstate.c: add RunStateTransition support form COLO to PRELAUNCH Zhang Chen
2022-04-27  8:56   ` Jason Wang
2022-04-27  9:26     ` Zhang, Chen
2022-05-07  2:03       ` Zhang, Chen
2022-05-07  5:08         ` Jason Wang
2022-05-18 13:08           ` Dr. David Alan Gilbert
2022-05-19  2:18             ` Jason Wang
2022-07-06  5:02               ` Zhang, Chen
2022-07-06  5:39                 ` Jason Wang
2022-04-01  3:47 ` Zhang Chen [this message]
2022-04-01  3:47 ` [PATCH V2 3/4] net/colo.c: No need to track conn_list for filter-rewriter Zhang Chen
2022-04-01  3:47 ` [PATCH V2 4/4] net/colo.c: fix segmentation fault when packet is not parsed correctly Zhang Chen
2022-04-14  1:52 ` [PATCH V2 0/4] COLO net and runstate bugfix/optimization Zhang, Chen
2022-04-14  3:12   ` Jason Wang
2022-04-14  3:24     ` Zhang, Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220401034702.687057-3-chen.zhang@intel.com \
    --to=chen.zhang@intel.com \
    --cc=jasowang@redhat.com \
    --cc=like.xu@linux.intel.com \
    --cc=lizhijian@cn.fujitsu.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.