[libvirt] [PATCH 2/2] qemu: Set identity for the reconnect all thread

Mon Nov 12 06:42:27 UTC 2018

On Fri, Nov 09, 2018 at 19:39:37 -0500, John Ferlan wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1631622
> 
> If polkit authentication is enabled, an attempt to open
> the connection failed during virAccessDriverPolkitGetCaller
> when the call to virIdentityGetCurrent returned NULL resulting
> in the errors:
> 
>   virAccessDriverPolkitGetCaller:87 : access denied from:
>   Policy kit denied action org.libvirt.api.connect.getattr from <anonymous>
> 
>   virAccessManagerSanitizeError:204 : access denied from: nwfilter
> 
> Because qemuProcessReconnect runs in a thread during
> daemonRunStateInit processing it doesn't have the thread
> local identity. Thus when the virGetConnectNWFilter is
> called as part of the qemuProcessFiltersInstantiate when
> virDomainConfNWFilterInstantiate is run the attempt to get
> the idenity fails and results in the anonymous error above.
> 
> To fix this, let's grab/use the virIdenityPtr of the process
> that will be creating the thread, e.g. what daemonRunStateInit
> has set and use that for our thread. That way any other similar
> processing that uses/requires an identity for any other call
> that would have previously been successfully run won't fail in
> a similar manner.
> 
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/qemu/qemu_process.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 06a65b44e4..93f6a2279a 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -81,6 +81,7 @@
>  #include "netdev_bandwidth_conf.h"
>  #include "virresctrl.h"
>  #include "virvsock.h"
> +#include "viridentity.h"
>  
>  #define VIR_FROM_THIS VIR_FROM_QEMU
>  
> @@ -7716,6 +7717,7 @@ qemuProcessRefreshCPU(virQEMUDriverPtr driver,
>  struct qemuProcessReconnectData {
>      virQEMUDriverPtr driver;
>      virDomainObjPtr obj;
> +    virIdentityPtr identity;
>  };
>  /*
>   * Open an existing VM's monitor, re-detect VCPU threads
> @@ -7753,6 +7755,7 @@ qemuProcessReconnect(void *opaque)
>      bool retry = true;
>      bool tryMonReconn = false;
>  
> +    virIdentitySetCurrent(data->identity);

This takes it's own reference to the identity. The reference in
data->identity is then leaked.

>      VIR_FREE(data);
>  
>      qemuDomainObjRestoreJob(obj, &oldjob);
> @@ -7979,6 +7982,7 @@ qemuProcessReconnect(void *opaque)
>      virObjectUnref(cfg);
>      virObjectUnref(caps);
>      virNWFilterUnlockFilterUpdates();
> +    virIdentitySetCurrent(NULL);
>      return;
>  
>   error:
> @@ -8022,6 +8026,7 @@ qemuProcessReconnectHelper(virDomainObjPtr obj,
>  
>      memcpy(data, src, sizeof(*data));
>      data->obj = obj;
> +    data->identity = virIdentityGetCurrent();

In addition to the leak from the thread, the reference is also leaked if
the thread creation fails.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20181112/683c9bcb/attachment-0001.sig>