From d5df67be3c5d7a70bd2018fa5267733f23b1ae5d Mon Sep 17 00:00:00 2001
From: Wen Congyang <wency@cn.fujitsu.com>
Date: Wed, 16 Mar 2011 17:01:23 +0800
Subject: [PATCH] do not unref obj in qemuDomainObjExitMonitor*

Steps to reproduce this bug:
# cat test.sh
  #! /bin/bash -x
  virsh start domain
  sleep 5
  virsh qemu-monitor-command domain 'cpu_set 2 online' --hmp
# while true; do ./test.sh ; done

Then libvirtd will crash.

The reason is that:
we add a reference of obj when we open the monitor. We will reduce this
reference when we free the monitor.

If the reference of monitor is 0, we will free monitor automatically and
the reference of obj is reduced.

But in the function qemuDomainObjExitMonitorWithDriver(), we reduce this
reference again when the reference of monitor is 0.

It will cause the obj be freed in the function qemuDomainObjEndJob().

Then we start the domain again, and libvirtd will crash in the function
virDomainObjListSearchName(), because we pass a null pointer(obj->def->name)
to strcmp().

Signed-off-by: Wen Congyang <wency@cn.fujitsu.com>
---
 src/qemu/qemu_domain.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 8a2b9ccbac..cc137d2b58 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -588,7 +588,6 @@ void qemuDomainObjExitMonitor(virDomainObjPtr obj)
     virDomainObjLock(obj);
 
     if (refs == 0) {
-        virDomainObjUnref(obj);
         priv->mon = NULL;
     }
 }
@@ -634,7 +633,6 @@ void qemuDomainObjExitMonitorWithDriver(struct qemud_driver *driver,
     virDomainObjLock(obj);
 
     if (refs == 0) {
-        virDomainObjUnref(obj);
         priv->mon = NULL;
     }
 }
-- 
GitLab