On 01/07/15 13:41, Martin Kletzander wrote: > On Wed, Jan 07, 2015 at 12:00:57PM +0100, Peter Krempa wrote: >> In commit 540c339a2535ec30d79e5ef84d8f50a17bc60723 the whole domain >> reference counting was refactored in the qemu driver. Domain jobs now >> don't need to reference the domain object as they now expect the >> reference from the calling function. >> >> However, the patch forgot to remove the unref call in case we exit the >> monitor when we were acquiring a nested job. This caused the daemon to >> crash on a subsequent access to the domain object once we've done an >> operation requiring a nested job for a monitor access. >> >> An easy reproducer case: >> >> 1) Start a vm with qcow disks >> 2) virsh snapshot-create-as DOMNAME >> 3) virsh dumpxml DOMNAME >> 4) daemon crashes in a semi-random spot while accessing a now-removed VM >> object. >> >> Fortunately, the commit wasn't released yet, so there are no security >> implications. >> >> Reported-by: Shanzi Yu <shyu@xxxxxxxxxx> >> Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> >> --- >> Cc: Martin Kletzander <mkletzan@xxxxxxxxxx> >> Cc: Shanzi Yu <shyu@xxxxxxxxxx> >> >> src/qemu/qemu_domain.c | 2 -- >> 1 file changed, 2 deletions(-) >> >> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c >> index bd64409..3d4023c 100644 >> --- a/src/qemu/qemu_domain.c >> +++ b/src/qemu/qemu_domain.c >> @@ -1573,8 +1573,6 @@ >> qemuDomainObjExitMonitorInternal(virQEMUDriverPtr driver, >> qemuDomainObjResetJob(priv); >> qemuDomainObjSaveJob(driver, obj); >> virCondSignal(&priv->job.cond); >> - >> - virObjectUnref(obj); >> } >> } >> > > ACK, thanks for catching that. > > Martin Pushed; Thanks. Peter
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list