[libvirt] [PATCH] qemu_migration: Avoid writing to freed memory

Jiri Denemark posted 1 patch 5 years, 7 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/7824152ee221199b352c0753db3eefaa5ec9dbb7.1533222453.git.jdenemar@redhat.com
Test syntax-check failed
src/qemu/qemu_migration.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[libvirt] [PATCH] qemu_migration: Avoid writing to freed memory
Posted by Jiri Denemark 5 years, 7 months ago
When a domain is killed on the source host while it is being migrated
and libvirtd is waiting for the migration to finish (waiting for the
domain condition in qemuMigrationSrcWaitForCompletion), the run-time
state including priv->job.current may already be freed once
virDomainObjWait returns with -1. Thus the priv->job.current pointer
cached in jobInfo is no longer valid and setting jobInfo->status may
crash the daemon.

https://bugzilla.redhat.com/show_bug.cgi?id=1593137

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/qemu/qemu_migration.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 435cd174af..825a9d399b 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1584,7 +1584,8 @@ qemuMigrationSrcWaitForCompletion(virQEMUDriverPtr driver,
 
         if (events) {
             if (virDomainObjWait(vm) < 0) {
-                jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED;
+                if (virDomainObjIsActive(vm))
+                    jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED;
                 return -2;
             }
         } else {
-- 
2.18.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] qemu_migration: Avoid writing to freed memory
Posted by Ján Tomko 5 years, 7 months ago
On Thu, Aug 02, 2018 at 05:07:33PM +0200, Jiri Denemark wrote:
>When a domain is killed on the source host while it is being migrated
>and libvirtd is waiting for the migration to finish (waiting for the
>domain condition in qemuMigrationSrcWaitForCompletion), the run-time
>state including priv->job.current may already be freed once
>virDomainObjWait returns with -1. Thus the priv->job.current pointer
>cached in jobInfo is no longer valid and setting jobInfo->status may
>crash the daemon.
>
>https://bugzilla.redhat.com/show_bug.cgi?id=1593137
>
>Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
>---
> src/qemu/qemu_migration.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] qemu_migration: Avoid writing to freed memory
Posted by no-reply@patchew.org 5 years, 7 months ago
Hi,

This series was run against 'syntax-check' test by patchew.org, which failed, please find the details below:

Type: series
Message-id: 7824152ee221199b352c0753db3eefaa5ec9dbb7.1533222453.git.jdenemar@redhat.com
Subject: [libvirt] [PATCH] qemu_migration: Avoid writing to freed memory

=== TEST SCRIPT BEGIN ===
#!/bin/bash
# Testing script will be invoked under the git checkout with
# HEAD pointing to a commit that has the patches applied on top of "base"
# branch
time bash -c './autogen.sh && make syntax-check'
=== TEST SCRIPT END ===

Updating bcb55ab053bc79561b55d0394490f4b64e0f2d01
>From https://github.com/patchew-project/libvirt
 t [tag update]            patchew/20180803093532.16922-1-berrange@redhat.com -> patchew/20180803093532.16922-1-berrange@redhat.com
 t [tag update]            patchew/7824152ee221199b352c0753db3eefaa5ec9dbb7.1533222453.git.jdenemar@redhat.com -> patchew/7824152ee221199b352c0753db3eefaa5ec9dbb7.1533222453.git.jdenemar@redhat.com
Switched to a new branch 'test'
fatal: Not a valid branch point: '9eae8398edde9446ecc99f4f393bea94652fb6a2'.
Traceback (most recent call last):
  File "patchew-tester/src/patchew-cli", line 523, in test_one
    cwd=clone, stdout=logf, stderr=logf)
  File "/usr/lib64/python3.6/subprocess.py", line 291, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['git', 'branch', 'base', '9eae8398edde9446ecc99f4f393bea94652fb6a2']' returned non-zero exit status 128.


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@redhat.com

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list