[Qemu-devel] [PULL v1] io: fix possible double free of task error object

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
	"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PULL v1] io: fix possible double free of task error object
Date: Thu, 26 Jan 2017 10:27:57 +0000	[thread overview]
Message-ID: <20170126102757.23280-2-berrange@redhat.com> (raw)
In-Reply-To: <20170126102757.23280-1-berrange@redhat.com>

If a QIOTask has an error set and the calling code uses
qio_task_propagate_error() to steal the reference to
that Error object, the task would not clear its own
reference. This would lead to a double-free when
qio_task_free runs, if the caller had (correctly) freed
the Error object they now owned.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 io/task.c            | 1 +
 tests/test-io-task.c | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/io/task.c b/io/task.c
index 60bf1a9..3ce5560 100644
--- a/io/task.c
+++ b/io/task.c
@@ -157,6 +157,7 @@ bool qio_task_propagate_error(QIOTask *task,
 {
     if (task->err) {
         error_propagate(errp, task->err);
+        task->err = NULL;
         return true;
     }
 
diff --git a/tests/test-io-task.c b/tests/test-io-task.c
index ff62272..141aa2c 100644
--- a/tests/test-io-task.c
+++ b/tests/test-io-task.c
@@ -127,7 +127,7 @@ static void test_task_failure(void)
     g_assert(data.source == obj);
     g_assert(data.err == err);
     g_assert(data.freed == false);
-
+    error_free(data.err);
 }
 
 
@@ -238,6 +238,8 @@ static void test_task_thread_failure(void)
     g_assert(data.source == obj);
     g_assert(data.err != NULL);
 
+    error_free(data.err);
+
     self = g_thread_self();
 
     /* Make sure the test_task_thread_worker actually got
-- 
2.9.3

next prev parent reply	other threads:[~2017-01-26 10:28 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-26 10:27 [Qemu-devel] [PULL v1] Merge io/ 2017/01/26 Daniel P. Berrange
2017-01-26 10:27 ` Daniel P. Berrange [this message]
2017-01-27 14:46 ` Peter Maydell

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:60bf1a9 dfblob:3ce5560 dfblob:ff62272 dfblob:141aa2c )
 OR (
bs:"[Qemu-devel] [PULL v1] io: fix possible double free of task error object" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170126102757.23280-2-berrange@redhat.com \
    --to=berrange@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.