From a03b5cb64b9f09803204014f3189869f0f72969d Mon Sep 17 00:00:00 2001
From: Pekka Enberg <penberg@kernel.org>
Date: Sat, 4 Feb 2012 10:30:42 +0200
Subject: [PATCH] kvm tools, x86: Fix use after free in irq__exit()

Valgrind spotted this issue with KVM tool shutdown:

  ==1823== Invalid read of size 8
  ==1823==    at 0x410DD0: rb_next (rbtree.c:390)
  ==1823==    by 0x417376: irq__exit (irq.c:182)
  ==1823==    by 0x406230: kvm_cmd_run (builtin-run.c:1275)
  ==1823==    by 0x410670: handle_command (kvm-cmd.c:84)
  ==1823==    by 0x3DE682139C: (below main) (in /lib64/libc-2.14.so)
  ==1823==  Address 0x4f7cca0 is 0 bytes inside a block of size 48 free'd
  ==1823==    at 0x4A055FE: free (vg_replace_malloc.c:366)
  ==1823==    by 0x41736E: irq__exit (irq.c:192)
  ==1823==    by 0x406230: kvm_cmd_run (builtin-run.c:1275)
  ==1823==    by 0x410670: handle_command (kvm-cmd.c:84)
  ==1823==    by 0x3DE682139C: (below main) (in /lib64/libc-2.14.so)

Fix it up.

Signed-off-by: Pekka Enberg <penberg@kernel.org>
---
 tools/kvm/x86/irq.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tools/kvm/x86/irq.c b/tools/kvm/x86/irq.c
index 1d8ae2b81983..dc07f28d22f1 100644
--- a/tools/kvm/x86/irq.c
+++ b/tools/kvm/x86/irq.c
@@ -179,17 +179,25 @@ int irq__exit(struct kvm *kvm)
 
 	free(irq_routing);
 
-	for (ent = rb_first(&pci_tree); ent; ent = rb_next(ent)) {
+	ent = rb_first(&pci_tree);
+	for (;;) {
 		struct pci_dev *dev;
+		struct rb_node *next;
 		struct irq_line *line;
 		struct list_head *node, *tmp;
 
+		if (!ent)
+			break;
+
+		next = rb_next(ent);
+
 		dev = rb_entry(ent, struct pci_dev, node);
 		list_for_each_safe(node, tmp, &dev->lines) {
 			line = list_entry(node, struct irq_line, node);
 			free(line);
 		}
 		free(dev);
+		ent = next;
 	}
 
 	return 0;
-- 
2.39.5