diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-03-01 23:10:06 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-03-01 23:12:51 +0100 |
| commit | 97935302283729c9206b84f5e00b1aff0f78ad19 (patch) | |
| tree | 8ed7489e5a8aef4ecfcacc5d7f61cabf77b3d07c /src/resolve/resolved-socket-graveyard.c | |
| parent | resolved: unref event object after the sources (diff) | |
| download | systemd-97935302283729c9206b84f5e00b1aff0f78ad19.tar.xz systemd-97935302283729c9206b84f5e00b1aff0f78ad19.zip | |
resolved: disable event sources before unreffing them
We generally operate on the assumption that a source is "gone" as soon
as we unref it. This is generally true because we have the only reference.
But if something else holds the reference, our unref doesn't really stop
the source and it could fire again.
In particular, on_query_timeout() is called with DnsQuery* as userdata, and
it calls dns_query_stop() which invalidates that pointer. If it was ever
called again, we'd be accessing already-freed memory.
I don't see what would hold the reference. sd-event takes a temporary reference,
but on the sd_event object, not on the individual sources. And our sources
are non-floating, so there is no reference from the sd_event object to the
sources.
For #18427.
Diffstat (limited to 'src/resolve/resolved-socket-graveyard.c')
| -rw-r--r-- | src/resolve/resolved-socket-graveyard.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/resolve/resolved-socket-graveyard.c b/src/resolve/resolved-socket-graveyard.c index 067cb666d4..471fe1d578 100644 --- a/src/resolve/resolved-socket-graveyard.c +++ b/src/resolve/resolved-socket-graveyard.c @@ -36,7 +36,7 @@ static SocketGraveyard* socket_graveyard_free(SocketGraveyard *g) { if (g->io_event_source) { log_debug("Closing graveyard socket fd %i", sd_event_source_get_io_fd(g->io_event_source)); - sd_event_source_unref(g->io_event_source); + sd_event_source_disable_unref(g->io_event_source); } return mfree(g); |