On 03.12.2014 16:01, Luyao Huang wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1087104#c5 When try to use a invalid offset do volupload, libvirt will get failed in virFDStreamOpenFileInternal, but seems libvirt do not check the return in storageVolUpload, and call virFDStreamSetInternalCloseCb , but stream doesn't have a privateData (is NULL), then crash. Although libvirt have a check for invalid offset in cmdVolUpload, but i think there should have some other way to touch off this crash. 0 0x00007f09429a9c10 in pthread_mutex_lock () from /lib64/libpthread.so.0 1 0x00007f094514dbf5 in virMutexLock (m=<optimized out>) at util/virthread.c:88 2 0x00007f09451cb211 in virFDStreamSetInternalCloseCb at fdstream.c:795 3 0x00007f092ff2c9eb in storageVolUpload at storage/storage_driver.c:2098 4 0x00007f09451f46e0 in virStorageVolUpload at libvirt.c:14000 5 0x00007f0945c78fa1 in remoteDispatchStorageVolUpload at remote_dispatch.h:14339 6 remoteDispatchStorageVolUploadHelper at remote_dispatch.h:14309 7 0x00007f094524a192 in virNetServerProgramDispatchCall at rpc/virnetserverprogram.c:437 Signed-off-by: Luyao Huang <lhuang@xxxxxxxxxx> --- src/storage/storage_driver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c index 7f33d6f..7f4de19 100644 --- a/src/storage/storage_driver.c +++ b/src/storage/storage_driver.c @@ -2111,8 +2111,9 @@ storageVolUpload(virStorageVolPtr obj, goto cleanup; } - ret = backend->uploadVol(obj->conn, pool, vol, stream, - offset, length, flags); + if ((ret = backend->uploadVol(obj->conn, pool, vol, stream, + offset, length, flags)) < 0) + goto cleanup; /* Add cleanup callback - call after uploadVol since the stream * is then fully set up
I've updated the commit message a bit, ACKed and pushed. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list