[libvirt] [PATCH] qemu: fix msg could be a wild pointer in qemuMonitorIOProcess()
Jiri Denemark
jdenemar at redhat.com
Fri Jun 22 08:45:03 UTC 2018
On Wed, Jun 20, 2018 at 16:45:27 +0800, Weilun Zhu wrote:
> As qemuMonitorJSONIOProcess will call qemuMonitorJSONIOProcessEvent
> which unlocks the monitor mutex, there is some extreme situation,
> eg qemu send message to monitor twice in a short time, where the
> local viriable 'msg' of qemuMonitorIOProcess could be a wild point:
>
> 1. qemuMonitorSend() assign mon->msg to parameter 'msg', which is alse a
> local variable of its caller qemuMonitorJSONCommandWithFd(), cause
> eventloop to send message to monitor, then wait condition.
> 2. qemu send message to monitor for the first time immediately.
> 3. qemuMonitorIOProcess() is called, then wake up the qemuMonitorSend()
> thread, but the qemuMonitorSend() thread stuck for a while as cpu pressure
> or some other reasons, which means the qemu monitor is still unlocked.
> 4. qemu send event message to monitor for the second time,
> such as RTC_CHANGE event
> 5. qemuMonitorIOProcess() is called again, the local viriable 'msg' is
> assigned to mon->msg.
> 6. qemuMonitorIOProcess() call qemuMonitorJSONIOProcess() to deal with
> the qemu event.
> 7. qemuMonitorJSONIOProcess() unlock the qemu monitor in the macro
> 'QEMU_MONITOR_CALLBACK', then qemuMonitorSend() thread get the mutex
> and free the mon->msg, assign mon->msg to NULL.
>
> Signed-off-by: Weilun Zhu <zhuweilun at huawei.com>
> ---
> src/qemu/qemu_monitor.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
Reviewed-by: Jiri Denemark <jdenemar at redhat.com>
and pushed.
More information about the libvir-list
mailing list