On 08.03.2013 14:46, Peter Krempa wrote: > On 03/08/13 13:20, Michal Privoznik wrote: >> When there are two concurrent threads, we may dereference a NULL >> pointer, even though it has been checked before: >> >> 1. Thread1: starts executing qemuDomainBlockStatsFlags() with nparams >> != 0. >> It finds given disk and successfully pass check for >> disk->info.alias >> not being NULL. >> 2. Thread2: starts executing qemuDomainDetachDeviceFlags() on the very >> same >> disk as Thread1 is working on. >> 3. Thread1: gets to qemuDomainObjBeginJob() where it sets a job on a >> domain. >> 4. Thread2: also tries to set a job. However, we are not guaranteed which >> thread wins. So assume it's Thread2 who can continue. >> 5. Thread2: does the actual detach and frees disk->info.alias >> 6. Thread2: quits the job >> 7. Thread1: now successfully acquires the job, and accesses a NULL >> pointer. >> --- > > Wow! Yes that might happen, > >> src/qemu/qemu_driver.c | 18 ++++++------------ >> 1 file changed, 6 insertions(+), 12 deletions(-) >> > > ACK. > > Peter > Thanks, pushed. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list