Re: [PATCH] qemu: Remove hostdev entry when freeing the depending network entry

Peter Krempa <pkrempa@xxxxxxxxxx> · Tue, 27 Aug 2013 13:57:48 -0400 (EDT)

----- Original Message -----
> From: "Peter Krempa" <pkrempa@xxxxxxxxxx>
> To: libvir-list@xxxxxxxxxx
> Cc: "Peter Krempa" <pkrempa@xxxxxxxxxx>
> Sent: Tuesday, August 27, 2013 7:21:24 PM
> Subject:  [PATCH] qemu: Remove hostdev entry when freeing the	depending network entry
> 
> When using a <interface type="network"> that points to a network with
> hostdev forwarding mode a hostdev alias is created for the network. This
> allias is inserted into the hostdev list, but is backed with a part of
> the network object that it is connected to.
> 
> When a VM is being stopped qemuProcessStop() calls
> networkReleaseActualDevice() which eventually frees the memory for the
> hostdev object. Afterwards when the domain definition is being freed by
> virDomainDefFree() an invalid pointer is accessed by
> virDomainHostdevDefFree() and may cause a crash of the daemon.
> 
> This patch removes the entry in the hostdev list before freeing the
> depending memory to avoid this issue.
> 
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1000973
> ---
>  src/qemu/qemu_process.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 128618b..2a69c8d 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -4241,6 +4241,9 @@ void qemuProcessStop(virQEMUDriverPtr driver,
>      def = vm->def;
>      for (i = 0; i < def->nnets; i++) {
>          virDomainNetDefPtr net = def->nets[i];
> +        virDomainHostdevDefPtr hostdev = virDomainNetGetActualHostdev(net);
> +        int hostdev_index;
> +
>          if (virDomainNetGetActualType(net) == VIR_DOMAIN_NET_TYPE_DIRECT) {
>              ignore_value(virNetDevMacVLanDeleteWithVPortProfile(
>                               net->ifname, &net->mac,
> @@ -4259,6 +4262,11 @@ void qemuProcessStop(virQEMUDriverPtr driver,
>                                         virDomainNetGetActualBridgeName(net),
>                                         net->ifname));
> 
> +        if (hostdev) {
> +            if ((hostdev_index = virDomainHostdevFind(def, hostdev, NULL)) >
> 0)

s/>/>=/

The condition should fire also when the entry is present on index 0.

> +                virDomainHostdevRemove(def, hostdev_index);
> +        }
> +
>          networkReleaseActualDevice(net);
>      }
> 
> --
> 1.8.3.2
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

Peter

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list