From 02a17066ac3dfb5e53b72b15a80643154990191b Mon Sep 17 00:00:00 2001
From: jiangdongxu <jiangdongxu1@huawei.com>
Date: Thu, 10 Feb 2022 21:50:28 +0800
Subject: [PATCH] bugfix: fix eventfds may double free when vm_id reused in
 ivshmem

As the ivshmem Server-Client Protol describes, when a
client disconnects from the server, server sends disconnect
notifications to the other clients. And the other clients
will free the eventfds of the disconnected client according
to the client ID. If the client ID is reused, the eventfds
may be double freed.

It will be solved by setting eventfds to NULL after freeing
and allocating memory for it when it's used.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
---
 hw/misc/ivshmem.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 1ba4a98377..05f06ed6cf 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -400,6 +400,7 @@ static void close_peer_eventfds(IVShmemState *s, int posn)
     }
 
     g_free(s->peers[posn].eventfds);
+    s->peers[posn].eventfds = NULL;
     s->peers[posn].nb_eventfds = 0;
 }
 
@@ -530,6 +531,10 @@ static void process_msg_connect(IVShmemState *s, uint16_t posn, int fd,
         close(fd);
         return;
     }
+    if (peer->eventfds == NULL) {
+        peer->eventfds = g_new0(EventNotifier, s->vectors);
+        peer->nb_eventfds = 0;
+    }
     vector = peer->nb_eventfds++;
 
     IVSHMEM_DPRINTF("eventfds[%d][%d] = %d\n", posn, vector, fd);
-- 
2.27.0