From 14898a26978613278b0a2508c077179144d54b39 Mon Sep 17 00:00:00 2001

Message-Id: <14898a26978613278b0a2508c077179144d54b39@dist-git>

From: Jiri Denemark <jdenemar@redhat.com>

Date: Thu, 2 Aug 2018 16:56:02 +0200

Subject: [PATCH] qemu_migration: Avoid writing to freed memory

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

When a domain is killed on the source host while it is being migrated

and libvirtd is waiting for the migration to finish (waiting for the

domain condition in qemuMigrationSrcWaitForCompletion), the run-time

state including priv->job.current may already be freed once

virDomainObjWait returns with -1. Thus the priv->job.current pointer

cached in jobInfo is no longer valid and setting jobInfo->status may

crash the daemon.

https://bugzilla.redhat.com/show_bug.cgi?id=1593137

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

(cherry picked from commit dddcb601ebf97ef222a03bb27b2357e831e8a0cc)

https://bugzilla.redhat.com/show_bug.cgi?id=1615854

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

Reviewed-by: Erik Skultety <eskultet@redhat.com>

---

 src/qemu/qemu_migration.c | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c

index 435cd174af..825a9d399b 100644

--- a/src/qemu/qemu_migration.c

+++ b/src/qemu/qemu_migration.c

@@ -1584,7 +1584,8 @@ qemuMigrationSrcWaitForCompletion(virQEMUDriverPtr driver,

         if (events) {

             if (virDomainObjWait(vm) < 0) {

-                jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED;

+                if (virDomainObjIsActive(vm))

+                    jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED;

                 return -2;

             }

         } else {

-- 

2.18.0