diff options
author | Fam Zheng <famz@redhat.com> | 2015-11-16 14:32:14 +0800 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2015-11-17 18:35:57 +0800 |
commit | 0ed39f3df2d3cf7f0fc3468b057f952a3b251ad9 (patch) | |
tree | 055bc6085299bebe5a25b67fd76813532adefbc9 | |
parent | 02460c3b4287776062715b95c59cd8829015615d (diff) | |
download | qemu-0ed39f3df2d3cf7f0fc3468b057f952a3b251ad9.zip qemu-0ed39f3df2d3cf7f0fc3468b057f952a3b251ad9.tar.gz qemu-0ed39f3df2d3cf7f0fc3468b057f952a3b251ad9.tar.bz2 |
aio-epoll: Fix use-after-free of node
aio_epoll_update needs the fields in node, so delay the free.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-id: 1447655534-13974-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-rw-r--r-- | aio-posix.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/aio-posix.c b/aio-posix.c index 06148a9..482b316 100644 --- a/aio-posix.c +++ b/aio-posix.c @@ -210,6 +210,7 @@ void aio_set_fd_handler(AioContext *ctx, { AioHandler *node; bool is_new = false; + bool deleted = false; node = find_aio_handler(ctx, fd); @@ -228,7 +229,7 @@ void aio_set_fd_handler(AioContext *ctx, * releasing the walking_handlers lock. */ QLIST_REMOVE(node, node); - g_free(node); + deleted = true; } } } else { @@ -253,6 +254,9 @@ void aio_set_fd_handler(AioContext *ctx, aio_epoll_update(ctx, node, is_new); aio_notify(ctx); + if (deleted) { + g_free(node); + } } void aio_set_event_notifier(AioContext *ctx, |