From: Jim Fehlig <jfehlig@suse.com>
Date: Thu, 13 Nov 2014 21:41:56 +0000 (-0700)
Subject: libxl: acquire job in migration finish phase
X-Git-Tag: CVE-2014-8135~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1f389515c7995ce0412f5b2413e5ec3dba4ef98;p=thirdparty%2Flibvirt.git

libxl: acquire job in migration finish phase

Moving data reception of the perform phase of migration to a
thread introduces a race with the finish phase, where checking
if the domain is active races with the thread finishing the
perform phase.  The race is easily solved by acquiring a job in
the finish phase, which must wait for the perform phase job to
complete.

While wrapping the finish phase in a job, noticed the virDomainObj
was being unlocked in a callee - libxlDomainMigrationFinish.  Move
the unlocking to libxlDomainMigrateFinish3Params, where the lock
is acquired.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---

diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index 8cbf3c0bdd..8c2b19211f 100644
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -4650,6 +4650,7 @@ libxlDomainMigrateFinish3Params(virConnectPtr dconn,
     libxlDriverPrivatePtr driver = dconn->privateData;
     virDomainObjPtr vm = NULL;
     const char *dname = NULL;
+    virDomainPtr ret = NULL;
 
 #ifdef LIBXL_HAVE_NO_SUSPEND_RESUME
     virReportUnsupportedError();
@@ -4680,16 +4681,29 @@ libxlDomainMigrateFinish3Params(virConnectPtr dconn,
         return NULL;
     }
 
+    if (libxlDomainObjBeginJob(driver, vm, LIBXL_JOB_MODIFY) < 0) {
+        virObjectUnlock(vm);
+        return NULL;
+    }
+
     if (!virDomainObjIsActive(vm)) {
         /* Migration failed if domain is inactive */
         virReportError(VIR_ERR_OPERATION_FAILED,
                        "%s", _("Migration failed. Domain is not running "
                                "on destination host"));
-        virObjectUnlock(vm);
-        return NULL;
+        goto endjob;
     }
 
-    return libxlDomainMigrationFinish(dconn, vm, flags, cancelled);
+    ret = libxlDomainMigrationFinish(dconn, vm, flags, cancelled);
+
+ endjob:
+    if (!libxlDomainObjEndJob(driver, vm))
+        vm = NULL;
+
+    if (vm)
+        virObjectUnlock(vm);
+
+    return ret;
 }
 
 static int
diff --git a/src/libxl/libxl_migration.c b/src/libxl/libxl_migration.c
index c728fa27ed..fa80a0cca7 100644
--- a/src/libxl/libxl_migration.c
+++ b/src/libxl/libxl_migration.c
@@ -573,7 +573,6 @@ libxlDomainMigrationFinish(virConnectPtr dconn,
  cleanup:
     if (event)
         libxlDomainEventQueue(driver, event);
-    virObjectUnlock(vm);
     virObjectUnref(cfg);
     return dom;
 }