qemu_conf: Avoid dereferencing NULL in virQEMUDriverGetHost{NUMACaps,CPU}

When fixing [1] I've ran attached reproducer and had it spawn
1024 threads and query capabilities XML in each one of them. This
lead libvirtd to hit the RLIMIT_NOFILE limit which was kind of
expected. What wasn't expected was a subsequent segfault. It
happened because virCPUProbeHost failed and returned NULL. We've
taken the NULL and passed it to virCapabilitiesHostNUMARef()
which dereferenced it. Code inspection showed the same flas in
virQEMUDriverGetHostNUMACaps(), so I'm fixing both places.

1: https://bugzilla.redhat.com/show_bug.cgi?id=1791790

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index b62dd1df52d54ca9f8386beb8b786a9f39dd4854..1204b189faa4c3f2b7f7183c4b7b56e26159963e 100644 (file)
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1201,32 +1201,42 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver,
 virCapsHostNUMAPtr
 virQEMUDriverGetHostNUMACaps(virQEMUDriverPtr driver)
 {
+    virCapsHostNUMAPtr hostnuma;
+
     qemuDriverLock(driver);
 
     if (!driver->hostnuma)
         driver->hostnuma = virCapabilitiesHostNUMANewHost();
 
+    hostnuma = driver->hostnuma;
+
     qemuDriverUnlock(driver);
 
-    virCapabilitiesHostNUMARef(driver->hostnuma);
+    if (hostnuma)
+        virCapabilitiesHostNUMARef(hostnuma);
 
-    return driver->hostnuma;
+    return hostnuma;
 }
 
 
 virCPUDefPtr
 virQEMUDriverGetHostCPU(virQEMUDriverPtr driver)
 {
+    virCPUDefPtr hostcpu;
+
     qemuDriverLock(driver);
 
     if (!driver->hostcpu)
         driver->hostcpu = virCPUProbeHost(virArchFromHost());
 
+    hostcpu = driver->hostcpu;
+
     qemuDriverUnlock(driver);
 
-    virCPUDefRef(driver->hostcpu);
+    if (hostcpu)
+        virCPUDefRef(hostcpu);
 
-    return driver->hostcpu;
+    return hostcpu;
 }