[libvirt] [PATCH] do not unref obj in qemuDomainObjExitMonitorWithDriver

Laine Stump laine at laine.org
Fri Mar 18 05:28:39 UTC 2011 

On 03/17/2011 10:25 PM, Wen Congyang wrote:
> At 03/17/2011 07:11 PM, Daniel P. Berrange Write:
>> On Wed, Mar 16, 2011 at 05:01:23PM +0800, Wen Congyang wrote:
>>> Steps to reproduce this bug:
>>> # cat test.sh
>>>    #! /bin/bash -x
>>>    virsh start domain
>>>    sleep 5
>>>    virsh qemu-monitor-command domain 'cpu_set 2 online' --hmp
>>> # while true; do ./test.sh ; done
>>>
>>> Then libvirtd will crash.
>>>
>>> The reason is that:
>>> we add a reference of obj when we open the monitor. We will reduce this
>>> reference when we free the monitor.
>>>
>>> If the reference of monitor is 0, we will free monitor automatically and
>>> the reference of obj is reduced.
>>>
>>> But in the function qemuDomainObjExitMonitorWithDriver(), we reduce this
>>> reference again when the reference of monitor is 0.
>>>
>>> It will cause the obj be freed in the function qemuDomainObjEndJob().
>>>
>>> Then we start the domain again, and libvirtd will crash in the function
>>> virDomainObjListSearchName(), because we pass a null pointer(obj->def->name)
>>> to strcmp().
>>>
>>> Signed-off-by: Wen Congyang<wency at cn.fujitsu.com>
>>>
>>> ---
>>>   src/qemu/qemu_domain.c |    1 -
>>>   1 files changed, 0 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
>>> index 8a2b9cc..ae28b1c 100644
>>> --- a/src/qemu/qemu_domain.c
>>> +++ b/src/qemu/qemu_domain.c
>>> @@ -634,7 +634,6 @@ void qemuDomainObjExitMonitorWithDriver(struct qemud_driver *driver,
>>>       virDomainObjLock(obj);
>>>
>>>       if (refs == 0) {
>>> -        virDomainObjUnref(obj);
>>>           priv->mon = NULL;
>>>       }
>>>   }
>> ACK,  ExitMonitorWithDriver should not be touching the virDomainObjPtr
>> refs at all. The virDomainObjPtr refs should only be touched by the
>> BeginJob/EndJob calls.
>>
>> This same fix also needs to be done in qemuDomainObjExitMonitor()
> Yes, there is the same problem in qemuDomainObjExitMonitor().
> I have updated this patch.


ACK to this V2 (partially based on Dan's approval). I just pushed it.


>>
>> Daniel
>
> > From 6c30534f7e6c5d2e5661c38397fc5062a8288ef3 Mon Sep 17 00:00:00 2001
> From: Wen Congyang<wency at cn.fujitsu.com>
> Date: Fri, 18 Mar 2011 09:51:07 +0800
> Subject: [PATCH 3/3] do not unref obj in qemuDomainObjExitMonitor*
>
> ---
>   src/qemu/qemu_domain.c |    2 --
>   1 files changed, 0 insertions(+), 2 deletions(-)
>
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 8a2b9cc..cc137d2 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -588,7 +588,6 @@ void qemuDomainObjExitMonitor(virDomainObjPtr obj)
>       virDomainObjLock(obj);
>
>       if (refs == 0) {
> -        virDomainObjUnref(obj);
>           priv->mon = NULL;
>       }
>   }
> @@ -634,7 +633,6 @@ void qemuDomainObjExitMonitorWithDriver(struct qemud_driver *driver,
>       virDomainObjLock(obj);
>
>       if (refs == 0) {
> -        virDomainObjUnref(obj);
>           priv->mon = NULL;
>       }
>   }

More information about the libvir-list mailing list