From 963dcf905c5ee0358d6b0b74b124ff340cbbbd2b Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Wed, 19 Mar 2014 13:38:44 -0400
Subject: [PATCH] nwfilter: Fix double free of pointer

https://bugzilla.redhat.com/show_bug.cgi?id=1071181

Commit 49b59a15 fixed one problem but masks another one related to pointer
freeing.

Avoid putting of the virNWFilterSnoopReq once the thread has been started.
It belongs to the thread and the thread will call virNWFilterSnoopReqPut() on it.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 src/nwfilter/nwfilter_dhcpsnoop.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
index d2a806211c..340760471c 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
@@ -1605,6 +1605,7 @@ virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
     int tmp;
     virThread thread;
     virNWFilterVarValuePtr dhcpsrvrs;
+    bool threadPuts = false;
 
     virNWFilterSnoopIFKeyFMT(ifkey, vmuuid, macaddr);
 
@@ -1698,6 +1699,8 @@ virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
         goto exit_snoopreq_unlock;
     }
 
+    threadPuts = true;
+
     virAtomicIntInc(&virNWFilterSnoopState.nThreads);
 
     req->threadkey = virNWFilterSnoopActivate(req);
@@ -1737,7 +1740,8 @@ exit_rem_ifnametokey:
 exit_snoopunlock:
     virNWFilterSnoopUnlock();
 exit_snoopreqput:
-    virNWFilterSnoopReqPut(req);
+    if (!threadPuts)
+        virNWFilterSnoopReqPut(req);
 
     return -1;
 }