[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] virStream double unref in virChrdevOpen()


There is double unref virChrdevOpen() (src/conf/virchrdev.c) when error occured.

    if (virStreamRef(st) < 0) {
        return -1;
    if (virHashAddEntry(devs->hash, path, st) < 0)
        goto error;

       if (virFDStreamOpenFile(st, path, 0, 0, O_RDWR) < 0) /* error
occured here */
            goto error;

    virHashRemoveEntry(devs->hash, path);

stream is virStreamRef'ed 1 time but if it is successfully placed into
hash then it will be unreferenced 2 times - in virStreamFree() and
virHashRemoveEntry()'s dataFree callback.

That leads to dispose stream object and segmentation fault due to use
after free.

Steps to reproduce:
# hide the /dev/pts to throw an error in virFDStreamOpenFile()
$ mount -t tmpfs empty-devpts /dev/pts
$ virsh console a111
Connected to domain a111
Escape character is ^]
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor
(libvirtd segfaults)
$ umount empty-devpts


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]