982648
From 51be47223840c917b0a98782c214d6b8e031b658 Mon Sep 17 00:00:00 2001
982648
Message-Id: <51be47223840c917b0a98782c214d6b8e031b658@dist-git>
982648
From: Jiri Denemark <jdenemar@redhat.com>
982648
Date: Thu, 2 Aug 2018 16:56:02 +0200
982648
Subject: [PATCH] qemu_migration: Avoid writing to freed memory
982648
MIME-Version: 1.0
982648
Content-Type: text/plain; charset=UTF-8
982648
Content-Transfer-Encoding: 8bit
982648
982648
When a domain is killed on the source host while it is being migrated
982648
and libvirtd is waiting for the migration to finish (waiting for the
982648
domain condition in qemuMigrationSrcWaitForCompletion), the run-time
982648
state including priv->job.current may already be freed once
982648
virDomainObjWait returns with -1. Thus the priv->job.current pointer
982648
cached in jobInfo is no longer valid and setting jobInfo->status may
982648
crash the daemon.
982648
982648
https://bugzilla.redhat.com/show_bug.cgi?id=1593137
982648
982648
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
982648
Reviewed-by: Ján Tomko <jtomko@redhat.com>
982648
(cherry picked from commit dddcb601ebf97ef222a03bb27b2357e831e8a0cc)
982648
982648
https://bugzilla.redhat.com/show_bug.cgi?id=1615854
982648
982648
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
982648
Reviewed-by: Erik Skultety <eskultet@redhat.com>
982648
---
982648
 src/qemu/qemu_migration.c | 3 ++-
982648
 1 file changed, 2 insertions(+), 1 deletion(-)
982648
982648
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
982648
index 435cd174af..825a9d399b 100644
982648
--- a/src/qemu/qemu_migration.c
982648
+++ b/src/qemu/qemu_migration.c
982648
@@ -1584,7 +1584,8 @@ qemuMigrationSrcWaitForCompletion(virQEMUDriverPtr driver,
982648
 
982648
         if (events) {
982648
             if (virDomainObjWait(vm) < 0) {
982648
-                jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED;
982648
+                if (virDomainObjIsActive(vm))
982648
+                    jobInfo->status = QEMU_DOMAIN_JOB_STATUS_FAILED;
982648
                 return -2;
982648
             }
982648
         } else {
982648
-- 
982648
2.18.0
982648