From 85c3a1820a0b4b0301af8172bffaf182e6cd2b2e Mon Sep 17 00:00:00 2001
From: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
Date: Tue, 4 Oct 2016 17:27:44 +0300
Subject: [PATCH] daemon: Fix crash during daemon cleanup

Do not dereference the 'dmn' until after the virStateCleanup is completed.

During initialization, virStateInitialize requires/uses the "dmn" as the
argument to/for the daemonInhibitCallback functions. Thus, cleanup cannot
dereference 'dmn' until after calling the virStateCleanup which calls the
the daemonInhibitCallback using 'dmn'; otherwise, the following crash occurs:

backtrace (shortened a bit)

1  0x00007fd3a791b2e6 in virCondWait (c=<optimized out>, m=<optimized out>)
   at util/virthread.c:154
2  0x00007fd3a791bcb0 in virThreadPoolFree (pool=0x7fd38024ee00)
   at util/virthreadpool.c:266
3  0x00007fd38edaa00e in qemuStateCleanup () at qemu/qemu_driver.c:1116
4  0x00007fd3a79abfeb in virStateCleanup () at libvirt.c:808
5  0x00007fd3a85f2c9e in main (argc=<optimized out>, argv=<optimized out>)
    at libvirtd.c:1660

Thread 1 (Thread 0x7fd38722d700 (LWP 32256)):
0  0x00007fd3a7900910 in virClassIsDerivedFrom
   (klass=0xdfd36058d4853, parent=0x7fd3a8f394d0) at util/virobject.c:169
1  0x00007fd3a7900c4e in virObjectIsClass
   (anyobj=anyobj@entry=0x7fd3a8f2f850, klass=<optimized out>)
   at util/virobject.c:365
2  0x00007fd3a7900c74 in virObjectLock (anyobj=0x7fd3a8f2f850)
   at util/virobject.c:317
3  0x00007fd3a7a24d5d in virNetDaemonRemoveShutdownInhibition
   (dmn=0x7fd3a8f2f850) at rpc/virnetdaemon.c:547
4  0x00007fd38ed722cf in qemuProcessStop
   (driver=driver@entry=0x7fd380103810, vm=vm@entry=0x7fd38025b6d0,
    reason=reason@entry=VIR_DOMAIN_SHUTOFF_SHUTDOWN,
    asyncJob=asyncJob@entry=QEMU_ASYNC_JOB_NONE, flags=flags@entry=0)
   at qemu/qemu_process.c:5786
5  0x00007fd38edd9428 in processMonitorEOFEvent
   (vm=0x7fd38025b6d0, driver=0x7fd380103810) at qemu/qemu_driver.c:4588
6  qemuProcessEventHandler (data=<optimized out>, opaque=0x7fd380103810)
   at qemu/qemu_driver.c:4632
7  0x00007fd3a791bb55 in virThreadPoolWorker
   (opaque=opaque@entry=0x7fd3a8f1e4c0) at util/virthreadpool.c:145
---
 daemon/libvirtd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index fbba9cc4e4..cd25b508e3 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -1628,7 +1628,6 @@ int main(int argc, char **argv) {
     virObjectUnref(qemuProgram);
     virObjectUnref(adminProgram);
     virNetDaemonClose(dmn);
-    virObjectUnref(dmn);
     virObjectUnref(srv);
     virObjectUnref(srvAdm);
     virNetlinkShutdown();
@@ -1658,6 +1657,9 @@ int main(int argc, char **argv) {
         driversInitialized = false;
         virStateCleanup();
     }
+    /* Now that the hypervisor shutdown inhibition functions that use
+     * 'dmn' as a parameter are done, we can finally unref 'dmn' */
+    virObjectUnref(dmn);
 
     return ret;
 }