From 6588c017de54bab8a11509d43e2ddabf065cfa50 Mon Sep 17 00:00:00 2001
From: jiangdongxu <jiangdongxu1@huawei.com>
Date: Thu, 10 Feb 2022 21:50:28 +0800
Subject: [PATCH] bugfix: fix eventfds may double free when vm_id reused in
 ivshmem

As the ivshmem Server-Client Protol describes, when a
client disconnects from the server, server sends disconnect
notifications to the other clients. And the other clients
will free the eventfds of the disconnected client according
to the client ID. If the client ID is reused, the eventfds
may be double freed.

It will be solved by setting eventfds to NULL after freeing
and allocating memory for it when it's used.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
Signed-off-by: Adttil <yangtao286@huawei.com>
---
 hw/misc/ivshmem.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 0447888029..ad9a3c546e 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -400,6 +400,7 @@ static void close_peer_eventfds(IVShmemState *s, int posn)
     }
 
     g_free(s->peers[posn].eventfds);
+    s->peers[posn].eventfds = NULL;
     s->peers[posn].nb_eventfds = 0;
 }
 
@@ -533,6 +534,10 @@ static void process_msg_connect(IVShmemState *s, uint16_t posn, int fd,
         close(fd);
         return;
     }
+    if (peer->eventfds == NULL) {
+        peer->eventfds = g_new0(EventNotifier, s->vectors);
+        peer->nb_eventfds = 0;
+    }
     vector = peer->nb_eventfds++;
 
     IVSHMEM_DPRINTF("eventfds[%d][%d] = %d\n", posn, vector, fd);
-- 
2.27.0