libxl: Fix race between destruction of objects

It is possible to destroy and cleanup a VM, resulting in freeing the
libxlDomainObjPrivate object and associated libxl ctx, before all fds and
timeouts have been deregistered and destroyed.

Fix this race by incrementing the reference count on libxlDomainObjPrivate
for each fd and timeout registration.  Only when all fds and timeouts are
deregistered and destroyed will the libxlDomainObjPrivate be destroyed.

diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index a34be51efe2cbd9ae08c500706be814bd8d01742..b4cbddde55395c107d5198fd8b8424648b648df9 100644 (file)
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -111,7 +111,11 @@ libxlDriverUnlock(libxlDriverPrivatePtr driver)
 static void
 libxlEventHookInfoFree(void *obj)
 {
-    VIR_FREE(obj);
+    libxlEventHookInfoPtr info = obj;
+
+    /* Drop reference on libxlDomainObjPrivate */
+    virObjectUnref(info->priv);
+    VIR_FREE(info);
 }
 
 static void
@@ -161,6 +165,13 @@ libxlFDRegisterEventHook(void *priv, int fd, void **hndp,
     }
 
     info->priv = priv;
+    /*
+     * Take a reference on the domain object.  Reference is dropped in
+     * libxlEventHookInfoFree, ensuring the domain object outlives the fd
+     * event objects.
+     */
+    virObjectRef(info->priv);
+
     info->xl_priv = xl_priv;
     *hndp = info;
 
@@ -257,6 +268,13 @@ libxlTimeoutRegisterEventHook(void *priv,
     }
 
     info->priv = priv;
+    /*
+     * Also take a reference on the domain object.  Reference is dropped in
+     * libxlEventHookInfoFree, ensuring the domain object outlives the timeout
+     * event objects.
+     */
+    virObjectRef(info->priv);
+
     info->xl_priv = xl_priv;
     *hndp = info;