Blame SOURCES/libvirt-qemu_conf-Avoid-dereferencing-NULL-in-virQEMUDriverGetHost-NUMACaps-CPU.patch

d76c62
From f06f903d5cb3c14853a7213b6a70c078380b7a62 Mon Sep 17 00:00:00 2001
d76c62
Message-Id: <f06f903d5cb3c14853a7213b6a70c078380b7a62@dist-git>
d76c62
From: Michal Privoznik <mprivozn@redhat.com>
d76c62
Date: Fri, 24 Jan 2020 15:05:50 +0100
d76c62
Subject: [PATCH] qemu_conf: Avoid dereferencing NULL in
d76c62
 virQEMUDriverGetHost{NUMACaps, CPU}
d76c62
d76c62
When fixing [1] I've ran attached reproducer and had it spawn
d76c62
1024 threads and query capabilities XML in each one of them. This
d76c62
lead libvirtd to hit the RLIMIT_NOFILE limit which was kind of
d76c62
expected. What wasn't expected was a subsequent segfault. It
d76c62
happened because virCPUProbeHost failed and returned NULL. We've
d76c62
taken the NULL and passed it to virCapabilitiesHostNUMARef()
d76c62
which dereferenced it. Code inspection showed the same flas in
d76c62
virQEMUDriverGetHostNUMACaps(), so I'm fixing both places.
d76c62
d76c62
1: https://bugzilla.redhat.com/show_bug.cgi?id=1791790
d76c62
d76c62
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
d76c62
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
d76c62
(cherry picked from commit cc361a34c53210d682dbc5f2d506b4a23b71e399)
d76c62
d76c62
https://bugzilla.redhat.com/show_bug.cgi?id=1794691
d76c62
d76c62
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
d76c62
Message-Id: <5de22b27463cd2803b3910d7ef45a0e4bc08ad47.1579874719.git.mprivozn@redhat.com>
d76c62
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
d76c62
---
d76c62
 src/qemu/qemu_conf.c | 18 ++++++++++++++----
d76c62
 1 file changed, 14 insertions(+), 4 deletions(-)
d76c62
d76c62
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
d76c62
index 3d2f0e7bbb..e33ef4895e 100644
d76c62
--- a/src/qemu/qemu_conf.c
d76c62
+++ b/src/qemu/qemu_conf.c
d76c62
@@ -1201,32 +1201,42 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver,
d76c62
 virCapsHostNUMAPtr
d76c62
 virQEMUDriverGetHostNUMACaps(virQEMUDriverPtr driver)
d76c62
 {
d76c62
+    virCapsHostNUMAPtr hostnuma;
d76c62
+
d76c62
     qemuDriverLock(driver);
d76c62
 
d76c62
     if (!driver->hostnuma)
d76c62
         driver->hostnuma = virCapabilitiesHostNUMANewHost();
d76c62
 
d76c62
+    hostnuma = driver->hostnuma;
d76c62
+
d76c62
     qemuDriverUnlock(driver);
d76c62
 
d76c62
-    virCapabilitiesHostNUMARef(driver->hostnuma);
d76c62
+    if (hostnuma)
d76c62
+        virCapabilitiesHostNUMARef(hostnuma);
d76c62
 
d76c62
-    return driver->hostnuma;
d76c62
+    return hostnuma;
d76c62
 }
d76c62
 
d76c62
 
d76c62
 virCPUDefPtr
d76c62
 virQEMUDriverGetHostCPU(virQEMUDriverPtr driver)
d76c62
 {
d76c62
+    virCPUDefPtr hostcpu;
d76c62
+
d76c62
     qemuDriverLock(driver);
d76c62
 
d76c62
     if (!driver->hostcpu)
d76c62
         driver->hostcpu = virCPUProbeHost(virArchFromHost());
d76c62
 
d76c62
+    hostcpu = driver->hostcpu;
d76c62
+
d76c62
     qemuDriverUnlock(driver);
d76c62
 
d76c62
-    virCPUDefRef(driver->hostcpu);
d76c62
+    if (hostcpu)
d76c62
+        virCPUDefRef(hostcpu);
d76c62
 
d76c62
-    return driver->hostcpu;
d76c62
+    return hostcpu;
d76c62
 }
d76c62
 
d76c62
 
d76c62
-- 
d76c62
2.25.0
d76c62