From 04f435535c4cbbcb72190cc3e05e440374165ffd Mon Sep 17 00:00:00 2001 Message-Id: <04f435535c4cbbcb72190cc3e05e440374165ffd@dist-git> From: Luyao Huang Date: Wed, 3 Dec 2014 13:35:29 -0500 Subject: [PATCH] storage: fix crash caused by no check return before set close https://bugzilla.redhat.com/show_bug.cgi?id=1087104#c5 When trying to use an invalid offset to virStorageVolUpload(), libvirt fails in virFDStreamOpenFileInternal(), although it seems libvirt does not check the return in storageVolUpload(), and calls virFDStreamSetInternalCloseCb() right after. But stream doesn't have a privateData (is NULL) yet, and the daemon crashes then. 0 0x00007f09429a9c10 in pthread_mutex_lock () from /lib64/libpthread.so.0 1 0x00007f094514dbf5 in virMutexLock (m=) at util/virthread.c:88 2 0x00007f09451cb211 in virFDStreamSetInternalCloseCb at fdstream.c:795 3 0x00007f092ff2c9eb in storageVolUpload at storage/storage_driver.c:2098 4 0x00007f09451f46e0 in virStorageVolUpload at libvirt.c:14000 5 0x00007f0945c78fa1 in remoteDispatchStorageVolUpload at remote_dispatch.h:14339 6 remoteDispatchStorageVolUploadHelper at remote_dispatch.h:14309 7 0x00007f094524a192 in virNetServerProgramDispatchCall at rpc/virnetserverprogram.c:437 Signed-off-by: Luyao Huang (cherry picked from commit 87b9437f8951f9d24f9a85c6bbfff0e54df8c984) This issue was introduced by commit id '4a85bf3e' and is related to https://bugzilla.redhat.com/show_bug.cgi?id=1072653 Although possible to avoid the condition by a previous patch to disallow a negative offset using virsh, it is still possible to pass an offset via virStorageVolUpload that would cause the same condition, so this patch is also necessary. Signed-off-by: John Ferlan Signed-off-by: Jiri Denemark --- src/storage/storage_driver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c index 7c518bf..7d4ae50 100644 --- a/src/storage/storage_driver.c +++ b/src/storage/storage_driver.c @@ -2088,8 +2088,9 @@ storageVolUpload(virStorageVolPtr obj, goto cleanup; } - ret = backend->uploadVol(obj->conn, pool, vol, stream, - offset, length, flags); + if ((ret = backend->uploadVol(obj->conn, pool, vol, stream, + offset, length, flags)) < 0) + goto cleanup; /* Add cleanup callback - call after uploadVol since the stream * is then fully set up -- 2.2.0