From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: pbonzini@redhat.com, jcody@redhat.com, aliguori@us.ibm.com,
qemu-devel@nongnu.org, lcapitulino@redhat.com
Subject: Re: [Qemu-devel] [PATCH] qmp_output_visitor_cleanup(): fix double free
Date: Mon, 19 Mar 2012 19:43:32 -0500 [thread overview]
Message-ID: <20120320004332.GA25518@illuin> (raw)
In-Reply-To: <1331925372-5429-1-git-send-email-lersek@redhat.com>
On Fri, Mar 16, 2012 at 08:16:12PM +0100, Laszlo Ersek wrote:
> Stack entries in QmpOutputVisitor are navigation links (weak references),
> except the bottom (ie. least recently added) entry, which owns the root
> QObject [1]. Make qmp_output_visitor_cleanup() drop the stack entries,
> then release the QObject tree by the root.
>
> Attempting to serialize an invalid enum inside a dictionary is an example
> for triggering the double free.
>
> [1] http://lists.nongnu.org/archive/html/qemu-devel/2012-03/msg03276.html
>
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Looks good. Did you or Paolo want to re-send that test case with a SoB?
I have a test case that triggers this by manually calling error_set(),
but I think yours is better.
> ---
> qapi/qmp-output-visitor.c | 8 +++++---
> 1 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/qapi/qmp-output-visitor.c b/qapi/qmp-output-visitor.c
> index e0697b0..2bce9d5 100644
> --- a/qapi/qmp-output-visitor.c
> +++ b/qapi/qmp-output-visitor.c
> @@ -199,14 +199,16 @@ void qmp_output_visitor_cleanup(QmpOutputVisitor *v)
> {
> QStackEntry *e, *tmp;
>
> + /* The bottom QStackEntry, if any, owns the root QObject. See the
> + * qmp_output_push_obj() invocations in qmp_output_add_obj(). */
> + QObject *root = QTAILQ_EMPTY(&v->stack) ? NULL : qmp_output_first(v);
> +
> QTAILQ_FOREACH_SAFE(e, &v->stack, node, tmp) {
> QTAILQ_REMOVE(&v->stack, e, node);
> - if (e->value) {
> - qobject_decref(e->value);
> - }
> g_free(e);
> }
>
> + qobject_decref(root);
> g_free(v);
> }
>
> --
> 1.7.1
>
next prev parent reply other threads:[~2012-03-20 0:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4F633854.9000500@redhat.com>
2012-03-16 14:37 ` [Qemu-devel] RFC: double free in qmp_output_visitor_cleanup() Laszlo Ersek
2012-03-16 17:00 ` Michael Roth
2012-03-16 19:16 ` [Qemu-devel] [PATCH] qmp_output_visitor_cleanup(): fix double free Laszlo Ersek
2012-03-20 0:43 ` Michael Roth [this message]
2012-03-20 10:22 ` [Qemu-devel] [PATCH v2 0/2] qapi: fix double free in QMP OV cleanup, add test case Laszlo Ersek
2012-03-20 13:51 ` Luiz Capitulino
2012-03-20 10:22 ` [Qemu-devel] [PATCH v2 1/2] qapi: fix double free in qmp_output_visitor_cleanup() Laszlo Ersek
2012-03-20 10:22 ` [Qemu-devel] [PATCH v2 2/2] qapi: add struct-errors test case to test-qmp-output-visitor Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120320004332.GA25518@illuin \
--to=mdroth@linux.vnet.ibm.com \
--cc=aliguori@us.ibm.com \
--cc=jcody@redhat.com \
--cc=lcapitulino@redhat.com \
--cc=lersek@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.