From: Michal Privoznik Date: Thu, 5 Dec 2013 13:39:52 +0000 (+0100) Subject: virThreadPoolFree: Set n(Prio)Workers after the pool is locked X-Git-Tag: CVE-2013-6436~113 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e925aad324c427a2b5b3da6a97196e40c9b506f9;p=thirdparty%2Flibvirt.git virThreadPoolFree: Set n(Prio)Workers after the pool is locked In 78839da I am trying to join the worker threads. However, I can't sipmly reuse pool->nWorkers (same applies for pool->nPrioWorkers), because of the following flow that is currently implemented: 1) the main thread executing virThreadPoolFree sets pool->quit = true, wakes up all the workers and wait on pool->quit_cond. 2) A worker is woken up and see quit request. It immediately jumps of the while() loop and decrements pool->nWorkers (or pool->nPrioWorkers in case of priority worker). The last thread signalizes pool->quit_cond. 3) Main thread is woken up, with both pool->nWorkers and pool->nPrioWorkers being zero. So there's a need to copy the original value of worker thread counts into local variables. However, these need to set *after* the check for pool being NULL (dereferencing a NULL is no no). And for safety they can be set right after the pool is locked. Reported-by: John Ferlan Signed-off-by: Michal Privoznik --- diff --git a/src/util/virthreadpool.c b/src/util/virthreadpool.c index 99f36ec13b..aa442d1e92 100644 --- a/src/util/virthreadpool.c +++ b/src/util/virthreadpool.c @@ -242,13 +242,15 @@ void virThreadPoolFree(virThreadPoolPtr pool) virThreadPoolJobPtr job; bool priority = false; size_t i; - size_t nWorkers = pool->nWorkers; - size_t nPrioWorkers = pool->nPrioWorkers; + size_t nWorkers; + size_t nPrioWorkers; if (!pool) return; virMutexLock(&pool->mutex); + nWorkers = pool->nWorkers; + nPrioWorkers = pool->nPrioWorkers; pool->quit = true; if (pool->nWorkers > 0) virCondBroadcast(&pool->cond);