[libvirt] [PATCH] tests: fix segault in objecteventtest

Roman Bogorodskiy bogorodskiy at gmail.com
Wed Aug 24 16:59:01 UTC 2016 

  Michal Privoznik wrote:

> On 24.08.2016 12:55, Roman Bogorodskiy wrote:
> > Test 12 from objecteventtest (createXML add event) segaults on FreeBSD
> > with bus error.
> > 
> > At some point it calls testNodeDeviceDestroy() from the test driver. And
> > it fails when it tries to unlock the device in the "out:" label of this
> > function.
> > 
> > Unlocking fails because the previous step was a call to
> > virNodeDeviceObjRemove from conf/node_device_conf.c. This function
> > removes the given device from the device list and cleans up the object,
> > including destroying of its mutex. However, it does not nullify the pointer
> > that was given to it.
> > 
> > As a result, we end up in testNodeDeviceDestroy() here:
> > 
> >  out:
> >     if (obj)
> >         virNodeDeviceObjUnlock(obj);
> > 
> > And instead of skipping this, we try to do Unlock and fail because of
> > malformed mutex.
> > 
> > Fix this by nullifying obj passed to virNodeDeviceObjRemove.
> > ---
> >  src/conf/node_device_conf.c | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
> > index a23d8ef..16b9d93 100644
> > --- a/src/conf/node_device_conf.c
> > +++ b/src/conf/node_device_conf.c
> > @@ -218,6 +218,7 @@ void virNodeDeviceObjRemove(virNodeDeviceObjListPtr devs,
> >          if (devs->objs[i] == dev) {
> >              virNodeDeviceObjUnlock(dev);
> >              virNodeDeviceObjFree(devs->objs[i]);
> > +            *(void**)dev = NULL;
> >  
> >              VIR_DELETE_ELEMENT(devs->objs, i, devs->count);
> >              break;
> > 
> 
> This is very hackish. It only clears first 8 bytes of the struct so next
> time somebody tries to access the lock in there it's all zeroes.

At this point there's no sense to access the lock because it's been
destroyed with virMutexDestroy anyway. But yeah, it feels hackish...

> Either we should make virNodeDeviceObjRemove() take a double pointer
> (and thus set the pointer to NULL properly), or fix every caller of
> virNodeDeviceObjRemove().

Uh, yeah. I'd prefer to use double pointer I guess.
virNodeDeviceObjRemove() doesn't seem to be a part of public API and
we're allowed to change it this way, right? If that's the case I like
this approach better.

Roman Bogorodskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20160824/1eb6b309/attachment-0001.sig>

More information about the libvir-list mailing list