Re: [PATCH 2/3] qemu_conf: Avoid dereferencing NULL in virQEMUDriverGetHost{NUMACaps, CPU}

Peter Krempa <pkrempa@xxxxxxxxxx> · Fri, 24 Jan 2020 12:05:28 +0100

On Fri, Jan 24, 2020 at 11:27:17 +0100, Michal Privoznik wrote:
> When fixing [1] I've ran attached reproducer and had it spawn
> 1024 threads and query capabilities XML in each one of them. This
> lead libvirtd to hit the RLIMIT_NOFILE limit which was kind of
> expected. What wasn't expected was a subsequent segfault. It
> happened because virCPUProbeHost failed and returned NULL. We've
> taken the NULL and passed it to virCapabilitiesHostNUMARef()
> which dereferenced it. Code inspection showed the same flas in
> virQEMUDriverGetHostNUMACaps(), so I'm fixing both places.
> 
> 1: https://bugzilla.redhat.com/show_bug.cgi?id=1791790
> 
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
>  src/qemu/qemu_conf.c | 17 +++++++++++++----
>  1 file changed, 13 insertions(+), 4 deletions(-)

Reviewed-by: Peter Krempa <pkrempa@xxxxxxxxxx>

Consider fixing the whitespace discrepancy though:

> 
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index b62dd1df52..8040f8ab3a 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -1201,32 +1201,41 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver,
>  virCapsHostNUMAPtr
>  virQEMUDriverGetHostNUMACaps(virQEMUDriverPtr driver)
>  {
> +    virCapsHostNUMAPtr hostnuma;
> +
>      qemuDriverLock(driver);
>  
>      if (!driver->hostnuma)
>          driver->hostnuma = virCapabilitiesHostNUMANewHost();
>  
> +    hostnuma = driver->hostnuma;
>      qemuDriverUnlock(driver);

No newline before unlock.

>  
> -    virCapabilitiesHostNUMARef(driver->hostnuma);
> +    if (hostnuma)
> +        virCapabilitiesHostNUMARef(hostnuma);
>  
> -    return driver->hostnuma;
> +    return hostnuma;
>  }
>  
>  
>  virCPUDefPtr
>  virQEMUDriverGetHostCPU(virQEMUDriverPtr driver)
>  {
> +    virCPUDefPtr hostcpu;
> +
>      qemuDriverLock(driver);
>  
>      if (!driver->hostcpu)
>          driver->hostcpu = virCPUProbeHost(virArchFromHost());
>  
> +    hostcpu = driver->hostcpu;
> +
>      qemuDriverUnlock(driver);

Newline before unlock.

>  
> -    virCPUDefRef(driver->hostcpu);
> +    if (hostcpu)
> +        virCPUDefRef(hostcpu);
>  
> -    return driver->hostcpu;
> +    return hostcpu;
>  }
>  
>  
> -- 
> 2.24.1
> 