If virStoragePoolObjNew() fails to create new volume object list then virObjectUnref() is called and since refcounter is 1 then virStoragePoolObjDispose() is called which in turn calls virStoragePoolObjClearVols() which in turn dereferences obj->volumes. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/conf/virstorageobj.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c index 1d6c9d1937..1d5c88f50b 100644 --- a/src/conf/virstorageobj.c +++ b/src/conf/virstorageobj.c @@ -365,8 +365,10 @@ virStoragePoolObjDispose(void *opaque) if (!obj) return; - virStoragePoolObjClearVols(obj); - virObjectUnref(obj->volumes); + if (obj->volumes) { + virStoragePoolObjClearVols(obj); + virObjectUnref(obj->volumes); + } virStoragePoolDefFree(obj->def); virStoragePoolDefFree(obj->newDef); -- 2.21.0

Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/rpc/virnetserver.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 83b871764f..4934dba967 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -629,7 +629,9 @@ virJSONValuePtr virNetServerPreExecRestart(virNetServerPtr srv) goto error; } - services = virJSONValueNewArray(); + if (!(services = virJSONValueNewArray())) + goto error; + if (virJSONValueObjectAppend(object, "services", services) < 0) { virJSONValueFree(services); goto error; @@ -646,7 +648,9 @@ virJSONValuePtr virNetServerPreExecRestart(virNetServerPtr srv) } } - clients = virJSONValueNewArray(); + if (!(clients = virJSONValueNewArray())) + goto error; + if (virJSONValueObjectAppend(object, "clients", clients) < 0) { virJSONValueFree(clients); goto error; -- 2.21.0

The idea of virCommand* APIs is that a possible error that occurred while constructing cmd line is kept in virCommand struct. If that's the case all subsequent calls to virCommand*() are NO-OPs or they return an error. Well, virCommandPassFDGetFDIndex() is not honoring that. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/util/vircommand.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/util/vircommand.c b/src/util/vircommand.c index 9e99697c55..8695c98d1b 100644 --- a/src/util/vircommand.c +++ b/src/util/vircommand.c @@ -1034,6 +1034,9 @@ virCommandPassFDGetFDIndex(virCommandPtr cmd, int fd) { size_t i = 0; + if (!cmd || cmd->has_error) + return -1; + while (i < cmd->npassfd) { if (cmd->passfd[i].fd == fd) return i; -- 2.21.0

On Tue, May 14, 2019 at 11:24:11AM +0200, Michal Privoznik wrote: This is the flaw that caused the crash I reported yesterday when running qemuxml2argvtest with ENOMEM simulation active. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|