From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42417)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bUTQ2-0000U2-PU
	for qemu-devel@nongnu.org; Tue, 02 Aug 2016 02:43:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bUTPw-0000rt-QA
	for qemu-devel@nongnu.org; Tue, 02 Aug 2016 02:43:13 -0400
Received: from mail-wm0-x243.google.com ([2a00:1450:400c:c09::243]:34832)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bUTPw-0000ro-Hx
	for qemu-devel@nongnu.org; Tue, 02 Aug 2016 02:43:08 -0400
Received: by mail-wm0-x243.google.com with SMTP id i5so29143142wmg.2
	for <qemu-devel@nongnu.org>; Mon, 01 Aug 2016 23:43:08 -0700 (PDT)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
References: <1470109301-12966-1-git-send-email-famz@redhat.com>
	<d43f17ef-1495-95a3-7047-3bf4ac419e5b@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <e1b65c29-5b64-54c5-3b89-00d1f7036c2f@redhat.com>
Date: Tue, 2 Aug 2016 08:43:04 +0200
MIME-Version: 1.0
In-Reply-To: <d43f17ef-1495-95a3-7047-3bf4ac419e5b@redhat.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] qdev: Fix use after free in
 qdev_init_nofail error path
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: John Snow <jsnow@redhat.com>, Fam Zheng <famz@redhat.com>, qemu-devel@nongnu.org
Cc: imammedo@redhat.com, ehabkost@redhat.com



On 02/08/2016 06:00, John Snow wrote:
> 
> 
> On 08/01/2016 11:41 PM, Fam Zheng wrote:
>> Since 69382d8b (qdev: Fix object reference leak in case device.realize()
>> fails), object_property_set_bool could release the object. The error
>> path wants the type name, so hold an reference before realizing it.
>>
>> Cc: Igor Mammedov <imammedo@redhat.com>
>> Signed-off-by: Fam Zheng <famz@redhat.com>
>> ---
>>  hw/core/qdev.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
>> index ee4a083..5783442 100644
>> --- a/hw/core/qdev.c
>> +++ b/hw/core/qdev.c
>> @@ -354,12 +354,14 @@ void qdev_init_nofail(DeviceState *dev)
>>
>>      assert(!dev->realized);
>>
>> +    object_ref(OBJECT(dev));
>>      object_property_set_bool(OBJECT(dev), true, "realized", &err);
>>      if (err) {
>>          error_reportf_err(err, "Initialization of device %s failed: ",
>>                            object_get_typename(OBJECT(dev)));
>>          exit(1);
>>      }
>> +    object_unref(OBJECT(dev));
>>  }
>>
>>  void qdev_machine_creation_done(void)
>>
> 
> Thanks :)
> 
> (For the list: this fixes qcow2 iotest 051. This is for-2.7.)
> 
> Reviewed-by: John Snow <jsnow@redhat.com>

Queued, thanks.

Paolo