[libvirt] [PATCH] qemuDomainBlockStatsFlags: Guard disk lookup with a domain job
Peter Krempa
pkrempa at redhat.com
Fri Mar 8 13:46:44 UTC 2013
On 03/08/13 13:20, Michal Privoznik wrote:
> When there are two concurrent threads, we may dereference a NULL
> pointer, even though it has been checked before:
>
> 1. Thread1: starts executing qemuDomainBlockStatsFlags() with nparams != 0.
> It finds given disk and successfully pass check for disk->info.alias
> not being NULL.
> 2. Thread2: starts executing qemuDomainDetachDeviceFlags() on the very same
> disk as Thread1 is working on.
> 3. Thread1: gets to qemuDomainObjBeginJob() where it sets a job on a
> domain.
> 4. Thread2: also tries to set a job. However, we are not guaranteed which
> thread wins. So assume it's Thread2 who can continue.
> 5. Thread2: does the actual detach and frees disk->info.alias
> 6. Thread2: quits the job
> 7. Thread1: now successfully acquires the job, and accesses a NULL pointer.
> ---
Wow! Yes that might happen,
> src/qemu/qemu_driver.c | 18 ++++++------------
> 1 file changed, 6 insertions(+), 12 deletions(-)
>
ACK.
Peter
More information about the libvir-list
mailing list