[Qemu-devel] PATCH: Avoid SEGV in IOHandler dispatch

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] PATCH: Avoid SEGV in IOHandler dispatch
@ 2007-08-13 19:06 Daniel P. Berrange
  0 siblings, 0 replies; only message in thread
From: Daniel P. Berrange @ 2007-08-13 19:06 UTC (permalink / raw)
  To: qemu-devel

[-- Attachment #1: Type: text/plain, Size: 1078 bytes --]

The code in main_loop_wait() which handles dispatching of IOHandlers only
checks the 'deleted' flag once per iteration. If a handler was registered
for both read & write events initially, and the read callback removes the
handler, then the write callback will be set to NULL. If select() reported
that there was a write event pending as well, then this will lead to  QEMU
crashing when trying to invoke the NULL write callback. A similar problem
occurs if the handler was registered for read+write, and the read handler
updates it to only select for read in the future - the write callback will
be set to NULL. The attached patch adds neccessary checks to protect against
this problem.

   Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

[-- Attachment #2: iohandler-delete.patch --]
[-- Type: text/plain, Size: 706 bytes --]

diff -r 25b9628b6900 vl.c
--- a/vl.c	Wed Aug 08 15:02:59 2007 -0400
+++ b/vl.c	Mon Aug 13 15:02:22 2007 -0400
@@ -6453,12 +6453,10 @@ void main_loop_wait(int timeout)
         IOHandlerRecord **pioh;

         for(ioh = first_io_handler; ioh != NULL; ioh = ioh->next) {
-            if (ioh->deleted)
-                continue;
-            if (FD_ISSET(ioh->fd, &rfds)) {
+            if (!ioh->deleted && ioh->fd_read && FD_ISSET(ioh->fd, &rfds)) {
                 ioh->fd_read(ioh->opaque);
             }
-            if (FD_ISSET(ioh->fd, &wfds)) {
+            if (!ioh->deleted && ioh->fd_write && FD_ISSET(ioh->fd, &wfds)) {
                 ioh->fd_write(ioh->opaque);
             }
         }

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2007-08-13 19:06 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-13 19:06 [Qemu-devel] PATCH: Avoid SEGV in IOHandler dispatch Daniel P. Berrange

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).