qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH] aio-epoll: Fix use-after-free of node
@ 2015-11-16  6:32 Fam Zheng
  2015-11-17  4:00 ` Stefan Hajnoczi
  0 siblings, 1 reply; 2+ messages in thread
From: Fam Zheng @ 2015-11-16  6:32 UTC (permalink / raw)
  To: qemu-devel; +Cc: pbonzini, qemu-block, Stefan Hajnoczi

aio_epoll_update needs the fields in node, so delay the free.

Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 aio-posix.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/aio-posix.c b/aio-posix.c
index 06148a9..482b316 100644
--- a/aio-posix.c
+++ b/aio-posix.c
@@ -210,6 +210,7 @@ void aio_set_fd_handler(AioContext *ctx,
 {
     AioHandler *node;
     bool is_new = false;
+    bool deleted = false;
 
     node = find_aio_handler(ctx, fd);
 
@@ -228,7 +229,7 @@ void aio_set_fd_handler(AioContext *ctx,
                  * releasing the walking_handlers lock.
                  */
                 QLIST_REMOVE(node, node);
-                g_free(node);
+                deleted = true;
             }
         }
     } else {
@@ -253,6 +254,9 @@ void aio_set_fd_handler(AioContext *ctx,
 
     aio_epoll_update(ctx, node, is_new);
     aio_notify(ctx);
+    if (deleted) {
+        g_free(node);
+    }
 }
 
 void aio_set_event_notifier(AioContext *ctx,
-- 
2.4.3

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-11-17  4:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-16  6:32 [Qemu-devel] [PATCH] aio-epoll: Fix use-after-free of node Fam Zheng
2015-11-17  4:00 ` Stefan Hajnoczi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).