From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47168)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bbkIg-0006EL-Pr
	for qemu-devel@nongnu.org; Mon, 22 Aug 2016 04:09:43 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bbkIa-0007M3-Jr
	for qemu-devel@nongnu.org; Mon, 22 Aug 2016 04:09:42 -0400
Received: from mx1.redhat.com ([209.132.183.28]:33278)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bbkIa-0007Ly-Du
	for qemu-devel@nongnu.org; Mon, 22 Aug 2016 04:09:36 -0400
From: Jason Wang <jasowang@redhat.com>
Date: Mon, 22 Aug 2016 16:09:26 +0800
Message-Id: <1471853367-18474-2-git-send-email-jasowang@redhat.com>
In-Reply-To: <1471853367-18474-1-git-send-email-jasowang@redhat.com>
References: <1471853367-18474-1-git-send-email-jasowang@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PULL 1/2] slirp: fix segv when init failed
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org, peter.maydell@linaro.org
Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>, Jason Wang <jasowang@redhat.com>

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

Since commit f6c2e66ae8c8a, slirp uses an exit notifier to call
slirp_smb_cleanup. However, if init() failed, the notifier isn't added,
and removing it will fail:

=3D=3D18447=3D=3D Invalid write of size 8
=3D=3D18447=3D=3D    at 0x7EF2B5: notifier_remove (notify.c:32)
=3D=3D18447=3D=3D    by 0x48E80C: qemu_remove_exit_notifier (vl.c:2661)
=3D=3D18447=3D=3D    by 0x6A2187: net_slirp_cleanup (slirp.c:134)
=3D=3D18447=3D=3D    by 0x69419D: qemu_cleanup_net_client (net.c:338)
=3D=3D18447=3D=3D    by 0x69445B: qemu_del_net_client (net.c:401)
=3D=3D18447=3D=3D    by 0x6A2B81: net_slirp_init (slirp.c:366)
=3D=3D18447=3D=3D    by 0x6A4241: net_init_slirp (slirp.c:865)
=3D=3D18447=3D=3D    by 0x695C6D: net_client_init1 (net.c:1051)
=3D=3D18447=3D=3D    by 0x695F6E: net_client_init (net.c:1108)
=3D=3D18447=3D=3D    by 0x696DBA: net_init_netdev (net.c:1498)
=3D=3D18447=3D=3D    by 0x7F1F99: qemu_opts_foreach (qemu-option.c:1116)
=3D=3D18447=3D=3D    by 0x696E60: net_init_clients (net.c:1516)
=3D=3D18447=3D=3D  Address 0x0 is not stack'd, malloc'd or (recently) fre=
e'd

Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 net/slirp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/slirp.c b/net/slirp.c
index facc30e..b60893f 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -131,7 +131,9 @@ static void net_slirp_cleanup(NetClientState *nc)
     SlirpState *s =3D DO_UPCAST(SlirpState, nc, nc);
=20
     slirp_cleanup(s->slirp);
-    qemu_remove_exit_notifier(&s->exit_notifier);
+    if (s->exit_notifier.notify) {
+        qemu_remove_exit_notifier(&s->exit_notifier);
+    }
     slirp_smb_cleanup(s);
     QTAILQ_REMOVE(&slirp_stacks, s, entry);
 }
--=20
2.7.4