falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

aio-epoll: Fix use-after-free of node 

aio_epoll_update needs the fields in node, so delay the free.

Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1447655534-13974-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
Fam Zheng 2015-11-16 14:32:14 +08:00 committed by Stefan Hajnoczi
parent 02460c3b42
commit 0ed39f3df2
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
aio-posix.c
View File

@ -210,6 +210,7 @@ void aio_set_fd_handler(AioContext *ctx,
{ {
AioHandler *node; AioHandler *node;
bool is_new = false; bool is_new = false;
bool deleted = false;
node = find_aio_handler(ctx, fd); node = find_aio_handler(ctx, fd);
@ -228,7 +229,7 @@ void aio_set_fd_handler(AioContext *ctx,
* releasing the walking_handlers lock. * releasing the walking_handlers lock.
*/ */
QLIST_REMOVE(node, node); QLIST_REMOVE(node, node);
g_free(node); deleted = true;
} }
} }
} else { } else {
@ -253,6 +254,9 @@ void aio_set_fd_handler(AioContext *ctx,
aio_epoll_update(ctx, node, is_new); aio_epoll_update(ctx, node, is_new);
aio_notify(ctx); aio_notify(ctx);
if (deleted) {
g_free(node);
}
} }
void aio_set_event_notifier(AioContext *ctx, void aio_set_event_notifier(AioContext *ctx,