From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jim Paris <jim-XrPbb/hENzg@public.gmane.org>
Subject: [PATCH 1/3] qemu: fix freed pointer dereference
Date: Wed,  8 Aug 2007 16:22:47 -0400
Message-ID: <11866045692122-git-send-email-jim@jtan.com>
References: 46B9896D.3030506@qumranet.com
	<1186604569626-git-send-email-jim@jtan.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Jim Paris <jim-XrPbb/hENzg@public.gmane.org>
To: Uri Lublin <uril-atKUWr5tajBWk0Htik3J/w@public.gmane.org>, kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Return-path: <kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
In-Reply-To: <1186604569626-git-send-email-jim-XrPbb/hENzg@public.gmane.org>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=kvm-devel>
List-Post: <mailto:kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
List-Help: <mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=subscribe>
Sender: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Errors-To: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
List-Id: kvm.vger.kernel.org

If *has_error==0, s is freed before s->detach is used.  Save a copy of
s->detach earlier.

Signed-off-by: Jim Paris <jim-XrPbb/hENzg@public.gmane.org>
---

This shouldn't change much since the memory is most likely still
valid even after it's been freed, but it's still a bug.

 qemu/migration.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/qemu/migration.c b/qemu/migration.c
index 6053c98..4d7aa01 100644
--- a/qemu/migration.c
+++ b/qemu/migration.c
@@ -169,6 +169,7 @@ static void migrate_finish(MigrationState *s)
     int ret = 0;
     int *has_error = s->has_error;
     int saved_vm_running = vm_running;
+    int detach = s->detach;
 
     fcntl(s->fd, F_SETFL, 0);
 
@@ -194,7 +195,7 @@ static void migrate_finish(MigrationState *s)
 	if (saved_vm_running)
             vm_start();
     }
-    if (!s->detach)
+    if (!detach)
 	monitor_resume();
     qemu_free(has_error);
     cpu_physical_memory_set_dirty_tracking(0);
-- 
1.5.3.GIT


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/