[libvirt] [PATCH] Fix crash in QEMU auto-destroy with transient guests

From: "Daniel P. Berrange" <berrange@redhat.com> When the auto-destroy callback runs it is supposed to return NULL if the virDomainObjPtr is no longer valid. It was not doing this for transient guests, so we tried to virObjectUnlock a mutex which had been freed. This often led to a crash. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/qemu/qemu_process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index db95d6e..1b9eede 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4629,8 +4629,10 @@ qemuProcessAutoDestroy(virQEMUDriverPtr driver, if (!qemuDomainObjEndJob(driver, dom)) dom = NULL; - if (dom && !dom->persistent) + if (dom && !dom->persistent) { qemuDomainRemoveInactive(driver, dom); + dom = NULL; + } if (event) qemuDomainEventQueue(driver, event); -- 1.7.11.7

On 02/28/2013 05:19 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
When the auto-destroy callback runs it is supposed to return NULL if the virDomainObjPtr is no longer valid. It was not doing this for transient guests, so we tried to virObjectUnlock a mutex which had been freed. This often led to a crash.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/qemu/qemu_process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
ACK.
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index db95d6e..1b9eede 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4629,8 +4629,10 @@ qemuProcessAutoDestroy(virQEMUDriverPtr driver,
if (!qemuDomainObjEndJob(driver, dom)) dom = NULL; - if (dom && !dom->persistent) + if (dom && !dom->persistent) { qemuDomainRemoveInactive(driver, dom); + dom = NULL; + } if (event) qemuDomainEventQueue(driver, event);
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On 02/28/2013 07:19 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
When the auto-destroy callback runs it is supposed to return NULL if the virDomainObjPtr is no longer valid. It was not doing this for transient guests, so we tried to virObjectUnlock a mutex which had been freed. This often led to a crash.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/qemu/qemu_process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index db95d6e..1b9eede 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4629,8 +4629,10 @@ qemuProcessAutoDestroy(virQEMUDriverPtr driver,
if (!qemuDomainObjEndJob(driver, dom)) dom = NULL; - if (dom && !dom->persistent) + if (dom && !dom->persistent) { qemuDomainRemoveInactive(driver, dom); + dom = NULL; + } if (event) qemuDomainEventQueue(driver, event);
ACK. That looks correct (qemuDomainRemoveInactive requires that there be no other references to the domain, and most other calls to it are followed by setting the domain ptr to NULL), and just as important it fixes the crash that I was seeing running Daniel's multi-threaded transient domain torture program.
participants (3)
-
Daniel P. Berrange
-
Eric Blake
-
Laine Stump