git.ipfire.org Git - thirdparty/qemu.git/commit

author	Greg Kurz <groug@kaod.org>
	Fri, 12 Mar 2021 09:22:07 +0000 (10:22 +0100)
committer	Michael S. Tsirkin <mst@redhat.com>
	Mon, 22 Mar 2021 14:17:53 +0000 (10:17 -0400)
commit	9e06080bed293d94ec1f874e62f25f147b20bc6c
tree	c205544a797a8c5832215a673e4b2701c5991d1b	tree
parent	a890557d5a90b2c99988bc478bfd7f77392cfd8d	commit \| diff

vhost-user: Fix double-close on slave_read() error path

Some message types, e.g. VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG,
can convey file descriptors. These must be closed before returning
from slave_read() to avoid being leaked. This can currently be done
in two different places:

[1] just after the request has been processed

[2] on the error path, under the goto label err:

These path are supposed to be mutually exclusive but they are not
actually. If the VHOST_USER_NEED_REPLY_MASK flag was passed and the
sending of the reply fails, both [1] and [2] are performed with the
same descriptor values. This can potentially cause subtle bugs if one
of the descriptor was recycled by some other thread in the meantime.

This code duplication complicates rollback for no real good benefit.
Do the closing in a unique place, under a new fdcleanup: goto label
at the end of the function.

Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <20210312092212.782255-3-groug@kaod.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>