[libvirt] [PATCH] qemuDomainBlockStatsFlags: Guard disk lookup with a domain job

Michal Privoznik mprivozn at redhat.com
Fri Mar 8 14:12:15 UTC 2013


On 08.03.2013 14:46, Peter Krempa wrote:
> On 03/08/13 13:20, Michal Privoznik wrote:
>> When there are two concurrent threads, we may dereference a NULL
>> pointer, even though it has been checked before:
>>
>> 1. Thread1: starts executing qemuDomainBlockStatsFlags() with nparams
>> != 0.
>>              It finds given disk and successfully pass check for
>> disk->info.alias
>>              not being NULL.
>> 2. Thread2: starts executing qemuDomainDetachDeviceFlags() on the very
>> same
>>              disk as Thread1 is working on.
>> 3. Thread1: gets to qemuDomainObjBeginJob() where it sets a job on a
>>              domain.
>> 4. Thread2: also tries to set a job. However, we are not guaranteed which
>>              thread wins. So assume it's Thread2 who can continue.
>> 5. Thread2: does the actual detach and frees disk->info.alias
>> 6. Thread2: quits the job
>> 7. Thread1: now successfully acquires the job, and accesses a NULL
>> pointer.
>> ---
> 
> Wow! Yes that might happen,
> 
>>   src/qemu/qemu_driver.c | 18 ++++++------------
>>   1 file changed, 6 insertions(+), 12 deletions(-)
>>
> 
> ACK.
> 
> Peter
> 

Thanks, pushed.

Michal




More information about the libvir-list mailing list