pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-31 11:28:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bb165ac3ab
spice/server/main_dispatcher.h
Yonit Halperin 8490f83e1f decouple disconnection of the main channel from client destruction 
Fixes rhbz#918169

Some channels make direct calls to reds/main_channel routines. If
these routines try to read/write to the socket, and they get socket
error, main_channel_client_on_disconnect is called, and triggers
red_client_destroy. In order to prevent accessing expired references
to RedClient, RedChannelClient, or other objects (inside the original call, after
red_client_destroy has been called) I made the call to
red_client_destroy asynchronous with respect to main_channel_client_on_disconnect.
I added MAIN_DISPATCHER_CLIENT_DISCONNECT to main_dispatcher.
main_channel_client_on_disconnect pushes this msg to the dispatcher,
instead of calling directly to reds_client_disconnect.

The patch uses RedClient ref-count in order to handle a case where
reds_client_disconnect is called directly (e.g., when a new client connects while
another one is connected), while there is already CLIENT_DISCONNECT msg
pending in the main_dispatcher.

Examples:
(1) snd_worker.c

    snd_disconnect_channel()
        channel->cleanup() //snd_playback_cleanup
            reds_enable_mm_timer()
                .
                .
                main_channel_push_multi_media_time()...socket_error
                    .
                    .
                    red_client_destory()
                        .
                        .
                        snd_disconnect_channel()
                            channel->cleanup()
                                celt051_encoder_destroy()
            celt051_encoder_destory() // double release

Note that this bug could have been solved by changing the order of
calls: e.g., channel->stream = NULL before calling cleanup, and
some other changes + reference counting. However, I found other
places in the code with similar problems, and I looked for a general
solution, at least till we redesign red_channel to handle reference
counting more consistently.

(2) inputs_channel.c

    inputs_connect()
        main_channel_client_push_notify()...socket_error
                .
                .
            red_client_destory()
                .
                .
        red_channel_client_create() // refers to client which is already destroyed

(3) reds.c

    reds_handle_main_link()
       main_channel_push_init() ...socket error
                .
                .
            red_client_destory()
                .
                .
       main_channel_client_start_net_test(mcc) // refers to mcc which is already destroyed

    This can explain the assert in rhbz#964136, comment #1 (but not the hang that occurred before).
2013-07-29 11:35:17 -04:00

20 lines
640 B
C
Raw Blame History

#ifndef MAIN_DISPATCHER_H
#define MAIN_DISPATCHER_H
#include <spice.h>
#include "red_channel.h"
void main_dispatcher_channel_event(int event, SpiceChannelEventInfo *info);
void main_dispatcher_seamless_migrate_dst_complete(RedClient *client);
void main_dispatcher_set_mm_time_latency(RedClient *client, uint32_t latency);
/*
* Disconnecting the client is always executed asynchronously,
* in order to protect from expired references in the routines
* that triggered the client destruction.
*/
void main_dispatcher_client_disconnect(RedClient *client);
void main_dispatcher_init(SpiceCoreInterface *core);
#endif //MAIN_DISPATCHER_H
Reference in New Issue View Git Blame Copy Permalink