From nobody Mon Apr 29 19:48:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1528164945212342.3069504791413; Mon, 4 Jun 2018 19:15:45 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AE2F430C2E77; Tue, 5 Jun 2018 02:15:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6E6B42010CCD; Tue, 5 Jun 2018 02:15:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B89801804480; Tue, 5 Jun 2018 02:15:38 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w552Fave014440 for ; Mon, 4 Jun 2018 22:15:36 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0622E608E0; Tue, 5 Jun 2018 02:15:36 +0000 (UTC) Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com [10.5.110.27]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EE63760922 for ; Tue, 5 Jun 2018 02:15:32 +0000 (UTC) Received: from huawei.com (szxga04-in.huawei.com [45.249.212.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6B3BEF5DFC for ; Tue, 5 Jun 2018 02:15:31 +0000 (UTC) Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id F247B3B802F80 for ; Tue, 5 Jun 2018 10:15:16 +0800 (CST) Received: from HGHY1Z002260041.china.huawei.com (10.177.16.142) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.382.0; Tue, 5 Jun 2018 10:15:08 +0800 From: Shannon Zhao To: Date: Tue, 5 Jun 2018 10:14:39 +0800 Message-ID: <1528164879-10908-1-git-send-email-zhaoshenglong@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.177.16.142] X-CFilter-Loop: Reflected X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 05 Jun 2018 02:15:31 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 05 Jun 2018 02:15:31 +0000 (UTC) for IP:'45.249.212.190' DOMAIN:'szxga04-in.huawei.com' HELO:'huawei.com' FROM:'zhaoshenglong@huawei.com' RCPT:'' X-RedHat-Spam-Score: -0.012 (RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS) 45.249.212.190 szxga04-in.huawei.com 45.249.212.190 szxga04-in.huawei.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.27 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Cc: zhuweilun@huawei.com, king.wang@huawei.com Subject: [libvirt] [PATCH] qemu: fix msg could be a wild pointer in qemuMonitorIOProcess() X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Tue, 05 Jun 2018 02:15:43 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Weilun Zhu As qemuMonitorJSONIOProcess() will unlock the qemu monitor, there is some extreme situation, eg qemu send message to monitor twice in a short time, where the local viriable 'msg' of qemuMonitorIOProcess() could be a wild point: 1. qemuMonitorSend() assign mon->msg to parameter 'msg', which is alse a local variable of its caller qemuMonitorJSONCommandWithFd(), cause eventloop to send message to monitor, then wait condition. 2. qemu send message to monitor for the first time immediately. 3. qemuMonitorIOProcess() is called, then wake up the qemuMonitorSend() thread, but the qemuMonitorSend() thread stuck for a while, which means the qemu monitor is still unlocked. 4. qemu send message to monitor for the second time, such as RTC_CHANGE event 5. qemuMonitorIOProcess() is called, the local viriable 'msg' is assigned to mon->msg. 6. qemuMonitorIOProcess() call qemuMonitorJSONIOProcess() to deal with the message 7. qemuMonitorJSONIOProcess() unlock the qemu monitor, qemuMonitorSend() thread get the lock and free the mon->msg, assign mon->msg to NULL. so the local viriable 'msg' of qemuMonitorIOProcess() is a wild pointer now. AFAIK, it is not harmful to call again virCondBroadcast() while msg is a wild pointer, but just in case, we fix it in this patch. --- src/qemu/qemu_monitor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 43f1d2f..464f200 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -454,7 +454,7 @@ qemuMonitorIOProcess(qemuMonitorPtr mon) #if DEBUG_IO VIR_DEBUG("Process done %d used %d", (int)mon->bufferOffset, len); #endif - if (msg && msg->finished) + if (msg && msg =3D=3D mon->msg && msg->finished) virCondBroadcast(&mon->notify); return len; } --=20 1.8.3.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list