From 21e0e8866e341da74e296ca3cf2d97812e847a66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Tue, 27 Jan 2015 18:44:30 +0100
Subject: [PATCH] hotplug: only add a chardev to vmdef after monitor call

https://bugzilla.redhat.com/show_bug.cgi?id=1161024

This way the device is in vmdef only if ret = 0 and the caller
(qemuDomainAttachDeviceFlags) does not free it.

Otherwise it might get double freed by qemuProcessStop
and qemuDomainAttachDeviceFlags if the domain crashed
in monitor after we've added it to vm->def.
---
 src/qemu/qemu_hotplug.c | 34 +++++++++++-----------------------
 1 file changed, 11 insertions(+), 23 deletions(-)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 2ea30f5d04..033b281bd3 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1523,59 +1523,47 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
     virDomainDefPtr vmdef = vm->def;
     char *devstr = NULL;
     char *charAlias = NULL;
-    bool need_remove = false;
 
     if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE)) {
         virReportError(VIR_ERR_OPERATION_INVALID, "%s",
                        _("qemu does not support -device"));
-        return ret;
+        goto cleanup;
     }
 
     if (qemuAssignDeviceChrAlias(vmdef, chr, -1) < 0)
-        return ret;
+        goto cleanup;
 
     if (qemuBuildChrDeviceStr(&devstr, vm->def, chr, priv->qemuCaps) < 0)
-        return ret;
+        goto cleanup;
 
     if (virAsprintf(&charAlias, "char%s", chr->info.alias) < 0)
         goto cleanup;
 
-    if (qemuDomainChrInsert(vmdef, chr) < 0)
+    if (qemuDomainChrPreInsert(vmdef, chr) < 0)
         goto cleanup;
-    need_remove = true;
 
     qemuDomainObjEnterMonitor(driver, vm);
     if (qemuMonitorAttachCharDev(priv->mon, charAlias, &chr->source) < 0) {
-        if (qemuDomainObjExitMonitor(driver, vm) < 0) {
-            need_remove = false;
-            ret = -1;
-            goto cleanup;
-        }
+        ignore_value(qemuDomainObjExitMonitor(driver, vm));
         goto audit;
     }
 
     if (devstr && qemuMonitorAddDevice(priv->mon, devstr) < 0) {
         /* detach associated chardev on error */
         qemuMonitorDetachCharDev(priv->mon, charAlias);
-        if (qemuDomainObjExitMonitor(driver, vm) < 0) {
-            need_remove = false;
-            ret = -1;
-            goto cleanup;
-        }
+        ignore_value(qemuDomainObjExitMonitor(driver, vm));
         goto audit;
     }
-    if (qemuDomainObjExitMonitor(driver, vm) < 0) {
-        need_remove = false;
-        ret = -1;
-        goto cleanup;
-    }
+    if (qemuDomainObjExitMonitor(driver, vm) < 0)
+        goto audit;
 
+    qemuDomainChrInsertPreAlloced(vm->def, chr);
     ret = 0;
  audit:
     virDomainAuditChardev(vm, NULL, chr, "attach", ret == 0);
  cleanup:
-    if (ret < 0 && need_remove)
-        qemuDomainChrRemove(vmdef, chr);
+    if (ret < 0 && virDomainObjIsActive(vm))
+        qemuDomainChrInsertPreAllocCleanup(vm->def, chr);
     VIR_FREE(charAlias);
     VIR_FREE(devstr);
     return ret;
-- 
GitLab