From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:47658) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RPWxP-0003Zf-Dl for qemu-devel@nongnu.org; Sun, 13 Nov 2011 05:06:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RPWxN-0007bL-F5 for qemu-devel@nongnu.org; Sun, 13 Nov 2011 05:06:35 -0500 Received: from mx1.redhat.com ([209.132.183.28]:62006) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RPWxN-0007bA-4R for qemu-devel@nongnu.org; Sun, 13 Nov 2011 05:06:33 -0500 From: Avi Kivity Date: Sun, 13 Nov 2011 12:06:19 +0200 Message-Id: <1321178779-18124-2-git-send-email-avi@redhat.com> In-Reply-To: <1321178779-18124-1-git-send-email-avi@redhat.com> References: <1321178779-18124-1-git-send-email-avi@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PATCH 1.0 1/1] memory: fix 'info mtree' segfaults List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori , qemu-devel@nongnu.org Cc: Stefan Weil , =?UTF-8?q?Andreas=20F=C3=A4rber?= 'info mtree' accesses invalid memory in two cases, both due to incorrect (and unsafe) usage of QTAILQ_FOREACH_SAFE(). Reported-by: Andreas F=C3=A4rber Signed-off-by: Avi Kivity --- memory.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/memory.c b/memory.c index c0c1d12..7c20a07 100644 --- a/memory.c +++ b/memory.c @@ -1401,7 +1401,7 @@ static void mtree_print_mr(fprintf_function mon_pri= ntf, void *f, alias_print_queue); } =20 - QTAILQ_FOREACH_SAFE(next_ml, &submr_print_queue, queue, ml) { + QTAILQ_FOREACH_SAFE(ml, &submr_print_queue, queue, next_ml) { g_free(ml); } } @@ -1425,7 +1425,7 @@ void mtree_info(fprintf_function mon_printf, void *= f) } =20 QTAILQ_FOREACH_SAFE(ml, &ml_head, queue, ml2) { - g_free(ml2); + g_free(ml); } =20 if (address_space_io.root && --=20 1.7.7.1