[libvirt] [PATCH] qemu: Don't increment jobs counter before DomainObj ref count is incremented

Friday, 14 December 2012

Currently, if domain is being destroyed, it's private data can be
freed.  If there's however another thread waiting to start a job,
it may lead to a NULL dereference and SIGSEGV. Check if reference
counter on domain object was successfully incremented.

Reported-By: Scott Sullivan <ssullivan(a)liquidweb.com&gt;
---

Reported here:

https://www.redhat.com/archives/libvir-list/2012-December/msg00931.html

 src/qemu/qemu_domain.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 8d8cf02..5cc5bf7 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -764,18 +764,21 @@ qemuDomainObjBeginJobInternal(virQEMUDriverPtr driver,
                               enum qemuDomainJob job,
                               enum qemuDomainAsyncJob asyncJob)
 {
-    qemuDomainObjPrivatePtr priv = obj->privateData;
+    qemuDomainObjPrivatePtr priv;
     unsigned long long now;
     unsigned long long then;
     bool nested = job == QEMU_JOB_ASYNC_NESTED;
 
-    priv->jobs_queued++;
-
     if (virTimeMillisNow(&now) < 0)
         return -1;
     then = now + QEMU_JOB_WAIT_TIME;
 
-    virObjectRef(obj);
+    if (!virObjectRef(obj))
+        return -1;
+
+    priv = obj->privateData;
+    priv->jobs_queued++;
+
     if (driver_locked)
         qemuDriverUnlock(driver);
 
-- 
1.7.8.6


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH] qemu: Don't increment jobs counter before DomainObj ref count is incremented