diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2016-11-08 14:55:23 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2016-11-08 17:09:14 +0000 |
commit | 36173ec5f1d3baee62504affd761199693c14c82 (patch) | |
tree | c2fea85821064f805d81aaaae8bb43764b4dd3f9 /aio-posix.c | |
parent | e6af1e085416378918cca357bf2abd8b90224667 (diff) | |
download | qemu-36173ec5f1d3baee62504affd761199693c14c82.zip qemu-36173ec5f1d3baee62504affd761199693c14c82.tar.gz qemu-36173ec5f1d3baee62504affd761199693c14c82.tar.bz2 |
aio-posix: avoid NULL pointer dereference in aio_epoll_update
aio_epoll_update dereferences parameter "node", but it could have been NULL
if deleting an fd handler that was not registered in the first place.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20161108135524.25927-2-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'aio-posix.c')
-rw-r--r-- | aio-posix.c | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/aio-posix.c b/aio-posix.c index 4ef34dd..304b016 100644 --- a/aio-posix.c +++ b/aio-posix.c @@ -217,21 +217,23 @@ void aio_set_fd_handler(AioContext *ctx, /* Are we deleting the fd handler? */ if (!io_read && !io_write) { - if (node) { - g_source_remove_poll(&ctx->source, &node->pfd); - - /* If the lock is held, just mark the node as deleted */ - if (ctx->walking_handlers) { - node->deleted = 1; - node->pfd.revents = 0; - } else { - /* Otherwise, delete it for real. We can't just mark it as - * deleted because deleted nodes are only cleaned up after - * releasing the walking_handlers lock. - */ - QLIST_REMOVE(node, node); - deleted = true; - } + if (node == NULL) { + return; + } + + g_source_remove_poll(&ctx->source, &node->pfd); + + /* If the lock is held, just mark the node as deleted */ + if (ctx->walking_handlers) { + node->deleted = 1; + node->pfd.revents = 0; + } else { + /* Otherwise, delete it for real. We can't just mark it as + * deleted because deleted nodes are only cleaned up after + * releasing the walking_handlers lock. + */ + QLIST_REMOVE(node, node); + deleted = true; } } else { if (node == NULL) { |