[libvirt] Race condition between qemuDomainCreate and qemuDomainDestroy

[Marc Hartmayer]

On Tue, Mar 20, 2018 at 11:25 AM +0100, Marc Hartmayer <mhartmay at linux.vnet.ibm.com> wrote:
> Hi,
>
> there is a race condition between 'qemuDomainCreate' and
> 'qemuDomainDestroy' causing a NULL pointer segmentation fault when
> accessing priv->monConfig. The race condition can be easily reproduced
> using gdb.
>
> (gdb) set non-stop on
> # set breakpoint on line 'mon = qemuMonitorOpen(vm, …)'
> (gdb) b qemu_process.c:1799
> # Actually, this second breakpoint is optional but it’s good to see
> where priv->monConfig is set to NULL
> # set breakpoint on line priv->monConfig = NULL;
> (gdb) b qemu_process.c:6589
> (gdb) run
> # continue all threads - just for the case we hit a breakpoint already
> (gdb) c -a
>
> Now start a domain (that is using QEMU)
>
> $ virsh start domain
>
> The first breakpoint will be hit. Now run in a second shell
>
> $ virsh destroy domain
>
> The second breakpoint will be hit. Continue the thread where the second
> breakpoint was hit (for this example this is thread 4)
>
> (gdb) thread apply 4 continue
>
> Now continue the thread where the first breakpoint was hit.
>
> => Segmentation fault because of a NULL pointer dereference at
>    config->value
>
> Since I'm not very familiar with that part of the code, I wanted to ask
> for your advice.
>
> Thanks in advance.
>
> Beste Grüße / Kind regards
>    Marc Hartmayer
>
> IBM Deutschland Research & Development GmbH
> Vorsitzende des Aufsichtsrats: Martina Koederitz
> Geschäftsführung: Dirk Wittkopp
> Sitz der Gesellschaft: Böblingen
> Registergericht: Amtsgericht Stuttgart, HRB 243294

Any ideas?

---
Beste Grüße / Kind regards
   Marc Hartmayer

IBM Deutschland Research & Development GmbH
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294