Hello,
There is double unref virChrdevOpen() (src/conf/virchrdev.c) when error occured.
if (virStreamRef(st) < 0) {
virMutexUnlock(&devs->lock);
return -1;
}
...
if (virHashAddEntry(devs->hash, path, st) < 0)
goto error;
...
if (virFDStreamOpenFile(st, path, 0, 0, O_RDWR) < 0) /* error
occured here */
goto error;
...
error:
virStreamFree(st);
virHashRemoveEntry(devs->hash, path);
stream is virStreamRef'ed 1 time but if it is successfully placed into
hash then it will be unreferenced 2 times - in virStreamFree() and
virHashRemoveEntry()'s dataFree callback.
That leads to dispose stream object and segmentation fault due to use
after free.
Steps to reproduce:
# hide the /dev/pts to throw an error in virFDStreamOpenFile()
$ mount -t tmpfs empty-devpts /dev/pts
$ virsh console a111
Connected to domain a111
Escape character is ^]
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor
(libvirtd segfaults)
$ umount empty-devpts
wbr,
Sergey.
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list