From b3aebf913623ed4c8cb7eb03380c0f3f2b7c42d6 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 12 Apr 2016 16:28:07 +0100
Subject: red-channel: make red_client_{ref,unref} thread safe

These function are called on both sides of dispatcher so the
increment/decrement of the counter is done in multiple threads.
This caused the counter to not get incremented correctly and
freed the structure too early, leaving a dangling pointer in
the other thread.

This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1253375.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
---
 server/red-channel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/red-channel.c b/server/red-channel.c
index d8f1d273..cfddea06 100644
--- a/server/red-channel.c
+++ b/server/red-channel.c
@@ -2064,13 +2064,13 @@ RedClient *red_client_new(RedsState *reds, int migrated)
 RedClient *red_client_ref(RedClient *client)
 {
     spice_assert(client);
-    client->refs++;
+    g_atomic_int_inc(&client->refs);
     return client;
 }
 
 RedClient *red_client_unref(RedClient *client)
 {
-    if (!--client->refs) {
+    if (g_atomic_int_dec_and_test(&client->refs)) {
         spice_debug("release client=%p", client);
         pthread_mutex_destroy(&client->lock);
         free(client);
-- 
cgit v1.2.3