[libvirt] [PATCH] qemu: Remove hostdev entry when freeing the depending network entry

When using a <interface type="network"> that points to a network with
hostdev forwarding mode a hostdev alias is created for the network. This
allias is inserted into the hostdev list, but is backed with a part of
the network object that it is connected to.

When a VM is being stopped qemuProcessStop() calls
networkReleaseActualDevice() which eventually frees the memory for the
hostdev object. Afterwards when the domain definition is being freed by
virDomainDefFree() an invalid pointer is accessed by
virDomainHostdevDefFree() and may cause a crash of the daemon.

This patch removes the entry in the hostdev list before freeing the
depending memory to avoid this issue.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1000973
 src/qemu/qemu_process.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 128618b..2a69c8d 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4241,6 +4241,9 @@ void qemuProcessStop(virQEMUDriverPtr driver,
     def = vm->def;
     for (i = 0; i < def->nnets; i++) {
         virDomainNetDefPtr net = def->nets[i];
+        virDomainHostdevDefPtr hostdev = virDomainNetGetActualHostdev(net);
+        int hostdev_index;
         if (virDomainNetGetActualType(net) == VIR_DOMAIN_NET_TYPE_DIRECT) {
                              net->ifname, &net->mac,
@@ -4259,6 +4262,11 @@ void qemuProcessStop(virQEMUDriverPtr driver,

+        if (hostdev) {
+            if ((hostdev_index = virDomainHostdevFind(def, hostdev, NULL)) > 0)
+                virDomainHostdevRemove(def, hostdev_index);
+        }


