From nobody Mon Feb  9 01:03:15 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 63.128.21.124 as permitted sender) client-ip=63.128.21.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1606931577; cv=none;
	d=zohomail.com; s=zohoarc;
	b=feKR6Vih5VlpUk4aGNUL8mzSeD5ACotHcnFrIgff2F5RYJg+UjQXOZZhpyYhjqiLIdTt0swymI0D8+de4uhhDfsSt/ITAHt7MwOfO023V6L09l2zG8NrD7QlTa+QR3YO4cmSwAJz5lJPrSPQuHpKa3tCJcCjzznuR4VcuX+BDKQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1606931577;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=c56zp1nitJJZ6m1pOy/oEkDjyvce50vHmwx+Os2z3+s=;
	b=nitjTrEdeQGh6EUzq6EzE5O7DzgGYSEvObA+tDyUj2HZowt8OvSyzp9MvuwAWa9RGnDdbz1oZqf4MWr/dnxwtK8wMXE5tFAQg5fAtktQE0ArH+5vLt2Ba3kIF834nWIjPuOb4lrNuDBj6zpstztJqDr48M0a5TgSyXcqZeqWRQw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<jjongsma@redhat.com> (p=none dis=none)
 header.from=<jjongsma@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com
	with SMTPS id 160693157767510.151838008123377;
 Wed, 2 Dec 2020 09:52:57 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-438-p5n5708eOgq82txE41GlfA-1; Wed, 02 Dec 2020 12:52:54 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 07ECD18B9F08;
	Wed,  2 Dec 2020 17:52:48 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9236C60BFA;
	Wed,  2 Dec 2020 17:52:47 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 66A9F4A7C6;
	Wed,  2 Dec 2020 17:52:45 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 0B2Hqh5N018090 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 2 Dec 2020 12:52:43 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 5040E60855; Wed,  2 Dec 2020 17:52:43 +0000 (UTC)
Received: from himantopus.redhat.com (ovpn-112-178.phx2.redhat.com
	[10.3.112.178])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 1803860854;
	Wed,  2 Dec 2020 17:52:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1606931576;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=c56zp1nitJJZ6m1pOy/oEkDjyvce50vHmwx+Os2z3+s=;
	b=Ku3K3jBat1BYzv/gP1l4Mk8F/WzXJIGFCBQZTHcrafiUmQdC5ll85PTCNi1GVfy3Ao4vhf
	MeV5iizKVqlpjUWApKo4sEnn+j1RMVffUDmOjGz3Ru29qJHWFVQyhE+V+y0VWyM45a9IUB
	5KnnzieaXZqJ9zOdSQC/zHqgiU1HQWY=
X-MC-Unique: p5n5708eOgq82txE41GlfA-1
From: Jonathon Jongsma <jjongsma@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH] conf: Fix segfault when parsing mdev types
Date: Wed,  2 Dec 2020 11:52:39 -0600
Message-Id: <20201202175239.183927-1-jjongsma@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
Cc: Boris Fiuczynski <fiuczy@linux.ibm.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Commit f1b0890 introduced a potential crash due to incorrect operator
precedence when accessing an element from a pointer to an array.

Backtrace below:

  #0  virNodeDeviceGetMdevTypesCaps (sysfspath=3D0x7fff801661e0 "/sys/devic=
es/pci0000:00/0000:00:02.0", mdev_types=3D0x7fff801c9b40, nmdev_types=3D0x7=
fff801c9b48) at ../src/conf/node_device_conf.c:2676
  #1  0x00007ffff7caf53d in virNodeDeviceGetPCIDynamicCaps (sysfsPath=3D0x7=
fff801661e0 "/sys/devices/pci0000:00/0000:00:02.0", pci_dev=3D0x7fff801c9ac=
8) at ../src/conf/node_device_conf.c:2705
  #2  0x00007ffff7cae38f in virNodeDeviceUpdateCaps (def=3D0x7fff80168a10) =
at ../src/conf/node_device_conf.c:2342
  #3  0x00007ffff7cb11c0 in virNodeDeviceObjMatch (obj=3D0x7fff84002e50, fl=
ags=3D0) at ../src/conf/virnodedeviceobj.c:850
  #4  0x00007ffff7cb153d in virNodeDeviceObjListExportCallback (payload=3D0=
x7fff84002e50, name=3D0x7fff801cbc20 "pci_0000_00_02_0", opaque=3D0x7fffe2f=
fc6a0) at ../src/conf/virnodedeviceobj.c:909
  #5  0x00007ffff7b69146 in virHashForEach (table=3D0x7fff9814b700 =3D {...=
}, iter=3D0x7ffff7cb149e <virNodeDeviceObjListExportCallback>, opaque=3D0x7=
fffe2ffc6a0) at ../src/util/virhash.c:394
  #6  0x00007ffff7cb1694 in virNodeDeviceObjListExport (conn=3D0x7fff980131=
70, devs=3D0x7fff98154430, devices=3D0x7fffe2ffc798, filter=3D0x7ffff7cf47a=
1 <virConnectListAllNodeDevicesCheckACL>, flags=3D0)
          at ../src/conf/virnodedeviceobj.c:943
  #7  0x00007fffe00694b2 in nodeConnectListAllNodeDevices (conn=3D0x7fff980=
13170, devices=3D0x7fffe2ffc798, flags=3D0) at ../src/node_device/node_devi=
ce_driver.c:228
  #8  0x00007ffff7e703aa in virConnectListAllNodeDevices (conn=3D0x7fff9801=
3170, devices=3D0x7fffe2ffc798, flags=3D0) at ../src/libvirt-nodedev.c:130
  #9  0x000055555557f796 in remoteDispatchConnectListAllNodeDevices (server=
=3D0x555555627080, client=3D0x5555556bf050, msg=3D0x5555556c0000, rerr=3D0x=
7fffe2ffc8a0, args=3D0x7fffd4008470, ret=3D0x7fffd40084e0)
          at src/remote/remote_daemon_dispatch_stubs.h:1613
  #10 0x000055555557f6f9 in remoteDispatchConnectListAllNodeDevicesHelper (=
server=3D0x555555627080, client=3D0x5555556bf050, msg=3D0x5555556c0000, rer=
r=3D0x7fffe2ffc8a0, args=3D0x7fffd4008470, ret=3D0x7fffd40084e0)
          at src/remote/remote_daemon_dispatch_stubs.h:1591
  #11 0x00007ffff7ce9542 in virNetServerProgramDispatchCall (prog=3D0x55555=
5690c10, server=3D0x555555627080, client=3D0x5555556bf050, msg=3D0x5555556c=
0000) at ../src/rpc/virnetserverprogram.c:428
  #12 0x00007ffff7ce90bd in virNetServerProgramDispatch (prog=3D0x555555690=
c10, server=3D0x555555627080, client=3D0x5555556bf050, msg=3D0x5555556c0000=
) at ../src/rpc/virnetserverprogram.c:302
  #13 0x00007ffff7cf042b in virNetServerProcessMsg (srv=3D0x555555627080, c=
lient=3D0x5555556bf050, prog=3D0x555555690c10, msg=3D0x5555556c0000) at ../=
src/rpc/virnetserver.c:137
  #14 0x00007ffff7cf04eb in virNetServerHandleJob (jobOpaque=3D0x5555556b66=
b0, opaque=3D0x555555627080) at ../src/rpc/virnetserver.c:154
  #15 0x00007ffff7bd912f in virThreadPoolWorker (opaque=3D0x55555562bc70) a=
t ../src/util/virthreadpool.c:163
  #16 0x00007ffff7bd8645 in virThreadHelper (data=3D0x55555562bc90) at ../s=
rc/util/virthread.c:233
  #17 0x00007ffff6d90432 in start_thread () at /lib64/libpthread.so.0
  #18 0x00007ffff75c5913 in clone () at /lib64/libc.so.6

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/conf/node_device_conf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
index 4e2837c1cd..cac4243b50 100644
--- a/src/conf/node_device_conf.c
+++ b/src/conf/node_device_conf.c
@@ -2673,7 +2673,7 @@ virNodeDeviceGetMdevTypesCaps(const char *sysfspath,
=20
     /* this could be a refresh, so clear out the old data */
     for (i =3D 0; i < *nmdev_types; i++)
-       virMediatedDeviceTypeFree(*mdev_types[i]);
+       virMediatedDeviceTypeFree((*mdev_types)[i]);
     VIR_FREE(*mdev_types);
     *nmdev_types =3D 0;
=20
--=20
2.26.2