From 8eef82209343a96c92af027843c4ebfa816217e8 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 28 Jan 2022 08:24:36 +0100
Subject: [PATCH] libnm: fix dangling pointer in "o" properties when
 unregistering NMObject

When NMClient gets destroyed, it unrefs all NMObject. We need to unbreak
cycles then, and the property getters must return NULL. In particular,
for "o" type properties (NMLDBusPropertyO), this was not done correctly.
For example, calling nm_device_get_active_connection() while/after
destroying the NMClient can give a dangling pointer and assertion
failure. This will also be covered by test_activate_virtual(). Probably
a similar issue can happen, when a D-Bus object gets removed (without
destroying NMClient altogether).

The fix is that nml_dbus_property_o_clear() needs to clear "nmobj". That
is correct, because the pointer is no longer valid and should not be there.
And the unit test shows that in fact a pointer is left there, and
clearing it fixes it.

That was different from an earlier attempt to fix this (in commit 62b2aa85e875
('Revert "libnm: fix dangling pointer in public API while destructing NMClient"')),
where clearing the pointer at a different place broke things. That
attempt was wrong, because nml_dbus_property_o_notify_changed() needs to be the
one that sets/clears nmobj field during a regular update. But the case
here is not a regular update, nml_dbus_property_o_clear() happens during
unregister/cleanup, and then we need to clear the pointer.

Fixes: ce0e898fb476 ('libnm: refactor caching of D-Bus objects in NMClient')

https://bugzilla.redhat.com/show_bug.cgi?id=2039331
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/896
See-also: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1064

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1075
---
 src/libnm-client-impl/nm-client.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libnm-client-impl/nm-client.c b/src/libnm-client-impl/nm-client.c
index 27382ec8b9..d1db062d76 100644
--- a/src/libnm-client-impl/nm-client.c
+++ b/src/libnm-client-impl/nm-client.c
@@ -1837,6 +1837,7 @@ nml_dbus_property_o_clear(NMLDBusPropertyO *pr_o, NMClient *self)
     pr_o->meta_iface        = NULL;
     pr_o->dbus_property_idx = 0;
     pr_o->is_ready          = FALSE;
+    pr_o->nmobj             = NULL;
 }
 
 void