[libvirt] [PATCH] qemu_migration: Avoid writing to freed memory
When a domain is killed on the source host while it is being migrated and libvirtd is waiting for the migration to finish (waiting for the domain condition in qemuMigrationSrcWaitForCompletion), the run-time state including priv->job.current may already be freed once virDomainObjWait returns with -1. Thus the priv->job.current pointer cached in jobInfo is no longer valid and setting jobInfo->status may crash the daemon. https://bugzilla.redhat.com/show_bug.cgi?id=1593137 Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- src/qemu/qemu_migration.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 435cd174af..825a9d399b 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1584,7 +1584,8 @@ qemuMigrationSrcWaitForCompletion(virQEMUDriverPtr driver, if (events) { if (virDomainObjWait(vm) < 0) { - jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED; + if (virDomainObjIsActive(vm)) + jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED; return -2; } } else { -- 2.18.0
On Thu, Aug 02, 2018 at 05:07:33PM +0200, Jiri Denemark wrote:
When a domain is killed on the source host while it is being migrated and libvirtd is waiting for the migration to finish (waiting for the domain condition in qemuMigrationSrcWaitForCompletion), the run-time state including priv->job.current may already be freed once virDomainObjWait returns with -1. Thus the priv->job.current pointer cached in jobInfo is no longer valid and setting jobInfo->status may crash the daemon.
https://bugzilla.redhat.com/show_bug.cgi?id=1593137
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> --- src/qemu/qemu_migration.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
Hi, This series was run against 'syntax-check' test by patchew.org, which failed, please find the details below: Type: series Message-id: 7824152ee221199b352c0753db3eefaa5ec9dbb7.1533222453.git.jdenemar@redhat.com Subject: [libvirt] [PATCH] qemu_migration: Avoid writing to freed memory === TEST SCRIPT BEGIN === #!/bin/bash # Testing script will be invoked under the git checkout with # HEAD pointing to a commit that has the patches applied on top of "base" # branch time bash -c './autogen.sh && make syntax-check' === TEST SCRIPT END === Updating bcb55ab053bc79561b55d0394490f4b64e0f2d01
From https://github.com/patchew-project/libvirt t [tag update] patchew/20180803093532.16922-1-berrange@redhat.com -> patchew/20180803093532.16922-1-berrange@redhat.com t [tag update] patchew/7824152ee221199b352c0753db3eefaa5ec9dbb7.1533222453.git.jdenemar@redhat.com -> patchew/7824152ee221199b352c0753db3eefaa5ec9dbb7.1533222453.git.jdenemar@redhat.com Switched to a new branch 'test' fatal: Not a valid branch point: '9eae8398edde9446ecc99f4f393bea94652fb6a2'. Traceback (most recent call last): File "patchew-tester/src/patchew-cli", line 523, in test_one cwd=clone, stdout=logf, stderr=logf) File "/usr/lib64/python3.6/subprocess.py", line 291, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['git', 'branch', 'base', '9eae8398edde9446ecc99f4f393bea94652fb6a2']' returned non-zero exit status 128.
--- Email generated automatically by Patchew [http://patchew.org/]. Please send your feedback to patchew-devel@redhat.com
participants (3)
-
Jiri Denemark -
Ján Tomko -
no-reply@patchew.org