Re: [PATCH 2/3] qemu_conf: Avoid dereferencing NULL in virQEMUDriverGetHost{NUMACaps, CPU}
On Fri, Jan 24, 2020 at 11:27:17 +0100, Michal Privoznik wrote:
When fixing [1] I've ran attached reproducer and had it spawn
1024 threads and query capabilities XML in each one of them. This
lead libvirtd to hit the RLIMIT_NOFILE limit which was kind of
expected. What wasn't expected was a subsequent segfault. It
happened because virCPUProbeHost failed and returned NULL. We've
taken the NULL and passed it to virCapabilitiesHostNUMARef()
which dereferenced it. Code inspection showed the same flas in
virQEMUDriverGetHostNUMACaps(), so I'm fixing both places.
1: https://bugzilla.redhat.com/show_bug.cgi?id=1791790
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_conf.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
Consider fixing the whitespace discrepancy though:
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index b62dd1df52..8040f8ab3a 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1201,32 +1201,41 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver,
virCapsHostNUMAPtr
virQEMUDriverGetHostNUMACaps(virQEMUDriverPtr driver)
{
+ virCapsHostNUMAPtr hostnuma;
+
qemuDriverLock(driver);
if (!driver->hostnuma)
driver->hostnuma = virCapabilitiesHostNUMANewHost();
+ hostnuma = driver->hostnuma;
qemuDriverUnlock(driver);
No newline before unlock.
- virCapabilitiesHostNUMARef(driver->hostnuma);
+ if (hostnuma)
+ virCapabilitiesHostNUMARef(hostnuma);
- return driver->hostnuma;
+ return hostnuma;
}
virCPUDefPtr
virQEMUDriverGetHostCPU(virQEMUDriverPtr driver)
{
+ virCPUDefPtr hostcpu;
+
qemuDriverLock(driver);
if (!driver->hostcpu)
driver->hostcpu = virCPUProbeHost(virArchFromHost());
+ hostcpu = driver->hostcpu;
+
qemuDriverUnlock(driver);
Newline before unlock.
- virCPUDefRef(driver->hostcpu);
+ if (hostcpu)
+ virCPUDefRef(hostcpu);
- return driver->hostcpu;
+ return hostcpu;
}
--
2.24.1