On Fri, Jan 24, 2020 at 11:27:17 +0100, Michal Privoznik wrote:
When fixing [1] I've ran attached reproducer and had it spawn 1024 threads and query capabilities XML in each one of them. This lead libvirtd to hit the RLIMIT_NOFILE limit which was kind of expected. What wasn't expected was a subsequent segfault. It happened because virCPUProbeHost failed and returned NULL. We've taken the NULL and passed it to virCapabilitiesHostNUMARef() which dereferenced it. Code inspection showed the same flas in virQEMUDriverGetHostNUMACaps(), so I'm fixing both places.
1: https://bugzilla.redhat.com/show_bug.cgi?id=1791790
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/qemu/qemu_conf.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Consider fixing the whitespace discrepancy though:
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index b62dd1df52..8040f8ab3a 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -1201,32 +1201,41 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver, virCapsHostNUMAPtr virQEMUDriverGetHostNUMACaps(virQEMUDriverPtr driver) { + virCapsHostNUMAPtr hostnuma; + qemuDriverLock(driver);
if (!driver->hostnuma) driver->hostnuma = virCapabilitiesHostNUMANewHost();
+ hostnuma = driver->hostnuma; qemuDriverUnlock(driver);
No newline before unlock.
- virCapabilitiesHostNUMARef(driver->hostnuma); + if (hostnuma) + virCapabilitiesHostNUMARef(hostnuma);
- return driver->hostnuma; + return hostnuma; }
virCPUDefPtr virQEMUDriverGetHostCPU(virQEMUDriverPtr driver) { + virCPUDefPtr hostcpu; + qemuDriverLock(driver);
if (!driver->hostcpu) driver->hostcpu = virCPUProbeHost(virArchFromHost());
+ hostcpu = driver->hostcpu; + qemuDriverUnlock(driver);
Newline before unlock.
- virCPUDefRef(driver->hostcpu); + if (hostcpu) + virCPUDefRef(hostcpu);
- return driver->hostcpu; + return hostcpu; }
-- 2.24.1