On 06/30/2011 08:10 AM, Daniel P. Berrange wrote: > The qemudDomainSaveFlag method will call EndJob on the 'vm' > object it is passed in. This can result in the 'vm' object > being free'd if the last reference is removed. Thus no caller > of 'qemudDomainSaveFlag' must *ever* reference 'vm' again > upon return. > > Unfortunately qemudDomainSave and qemuDomainManagedSave > both call 'virDomainObjUnlock', which can result in a > crash. This is non-deterministic since it involves a race > with the monitor I/O thread. > > Fix this by making qemudDomainSaveFlag responsible for > calling virDomainObjUnlock instead. > > * src/qemu/qemu_driver.c: Fix potential use after free > when saving guests > --- > src/qemu/qemu_driver.c | 9 ++++++++- > 1 files changed, 8 insertions(+), 1 deletions(-) Nice analysis, and probably something that people have hit before. ACK. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list