From 328ad9e678c036a4428497b95211c372dff457b0 Mon Sep 17 00:00:00 2001
From: Luyao Huang <lhuang@redhat.com>
Date: Tue, 8 Sep 2015 12:59:10 +0800
Subject: [PATCH] conf: fix crash when parsing a unordered NUMA <cell/>

https://bugzilla.redhat.com/show_bug.cgi?id=1260846

Introduced by 8fedbbdb, if we parse an unordered NUMA cell, will
get a segfault. This is because of a check for overlapping @cpus
sets we have there. However, since the array to hold guest NUMA
cells is allocated upfront and therefore it contains all zeros,
an out of order cell will break our assumption that cell IDs have
increasing character. At this point we try to access yet NULL
bitmap and therefore segfault.

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit 83ae3ee39bd13feddecc49aaad382d5cae72c257)
---
 src/conf/numa_conf.c                          | 10 +++++--
 .../qemuxml2argv-cpu-numa-disordered.xml      | 26 +++++++++++++++++
 .../qemuxml2xmlout-cpu-numa-disordered.xml    | 29 +++++++++++++++++++
 tests/qemuxml2xmltest.c                       |  1 +
 4 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-cpu-numa-disordered.xml
 create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-cpu-numa-disordered.xml

diff --git a/src/conf/numa_conf.c b/src/conf/numa_conf.c
index 5c123b96b7..b5963ace0f 100644
--- a/src/conf/numa_conf.c
+++ b/src/conf/numa_conf.c
@@ -759,11 +759,15 @@ virDomainNumaDefCPUParseXML(virDomainNumaPtr def,
         }
         VIR_FREE(tmp);
 
-        for (j = 0; j < i; j++) {
+        for (j = 0; j < n; j++) {
+            if (j == cur_cell || !def->mem_nodes[j].cpumask)
+                continue;
+
             if (virBitmapOverlaps(def->mem_nodes[j].cpumask,
-                                  def->mem_nodes[i].cpumask)) {
+                                  def->mem_nodes[cur_cell].cpumask)) {
                 virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                               _("NUMA cells %zu and %zu have overlapping vCPU ids"), i, j);
+                               _("NUMA cells %u and %zu have overlapping vCPU ids"),
+                               cur_cell, j);
                 goto cleanup;
             }
         }
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-cpu-numa-disordered.xml b/tests/qemuxml2argvdata/qemuxml2argv-cpu-numa-disordered.xml
new file mode 100644
index 0000000000..ad3160741c
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-cpu-numa-disordered.xml
@@ -0,0 +1,26 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>328650</memory>
+  <currentMemory unit='KiB'>328650</currentMemory>
+  <vcpu placement='static'>16</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+    <boot dev='network'/>
+  </os>
+  <cpu>
+    <topology sockets='2' cores='4' threads='2'/>
+    <numa>
+      <cell id='0' cpus='0-5' memory='109550' unit='KiB'/>
+      <cell id='2' cpus='6-10' memory='109550' unit='KiB'/>
+      <cell id='1' cpus='11-15' memory='109550' unit='KiB'/>
+    </numa>
+  </cpu>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+      <emulator>/usr/bin/qemu</emulator>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-cpu-numa-disordered.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-cpu-numa-disordered.xml
new file mode 100644
index 0000000000..0a76f12e2b
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-cpu-numa-disordered.xml
@@ -0,0 +1,29 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>328650</memory>
+  <currentMemory unit='KiB'>328650</currentMemory>
+  <vcpu placement='static'>16</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+    <boot dev='network'/>
+  </os>
+  <cpu>
+    <topology sockets='2' cores='4' threads='2'/>
+    <numa>
+      <cell id='0' cpus='0-5' memory='109550' unit='KiB'/>
+      <cell id='1' cpus='11-15' memory='109550' unit='KiB'/>
+      <cell id='2' cpus='6-10' memory='109550' unit='KiB'/>
+    </numa>
+  </cpu>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <controller type='usb' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 09806b242f..104c43eaf1 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -603,6 +603,7 @@ mymain(void)
     DO_TEST_DIFFERENT("cpu-numa1");
     DO_TEST_DIFFERENT("cpu-numa2");
     DO_TEST_DIFFERENT("cpu-numa-no-memory-element");
+    DO_TEST_DIFFERENT("cpu-numa-disordered");
     DO_TEST("cpu-numa-disjoint");
     DO_TEST("cpu-numa-memshared");