[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen master] aio-posix: avoid NULL pointer dereference in aio_epoll_update

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Sat, 07 Jan 2017 14:23:44 +0000
Delivery-date: Sat, 07 Jan 2017 14:23:47 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit 36173ec5f1d3baee62504affd761199693c14c82
Author:     Paolo Bonzini <pbonzini@xxxxxxxxxx>
AuthorDate: Tue Nov 8 14:55:23 2016 +0100
Commit:     Stefan Hajnoczi <stefanha@xxxxxxxxxx>
CommitDate: Tue Nov 8 17:09:14 2016 +0000

    aio-posix: avoid NULL pointer dereference in aio_epoll_update
    
    aio_epoll_update dereferences parameter "node", but it could have been NULL
    if deleting an fd handler that was not registered in the first place.
    
    Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
    Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
    Message-id: 20161108135524.25927-2-pbonzini@xxxxxxxxxx
    Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
---
 aio-posix.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/aio-posix.c b/aio-posix.c
index 4ef34dd..304b016 100644
--- a/aio-posix.c
+++ b/aio-posix.c
@@ -217,21 +217,23 @@ void aio_set_fd_handler(AioContext *ctx,
 
     /* Are we deleting the fd handler? */
     if (!io_read && !io_write) {
-        if (node) {
-            g_source_remove_poll(&ctx->source, &node->pfd);
-
-            /* If the lock is held, just mark the node as deleted */
-            if (ctx->walking_handlers) {
-                node->deleted = 1;
-                node->pfd.revents = 0;
-            } else {
-                /* Otherwise, delete it for real.  We can't just mark it as
-                 * deleted because deleted nodes are only cleaned up after
-                 * releasing the walking_handlers lock.
-                 */
-                QLIST_REMOVE(node, node);
-                deleted = true;
-            }
+        if (node == NULL) {
+            return;
+        }
+
+        g_source_remove_poll(&ctx->source, &node->pfd);
+
+        /* If the lock is held, just mark the node as deleted */
+        if (ctx->walking_handlers) {
+            node->deleted = 1;
+            node->pfd.revents = 0;
+        } else {
+            /* Otherwise, delete it for real.  We can't just mark it as
+             * deleted because deleted nodes are only cleaned up after
+             * releasing the walking_handlers lock.
+             */
+            QLIST_REMOVE(node, node);
+            deleted = true;
         }
     } else {
         if (node == NULL) {
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [qemu-xen master] block: Don't mark node clean after failed flush
Next by Date: [Xen-changelog] [qemu-xen master] aio-posix: simplify aio_epoll_update
Previous by thread: [Xen-changelog] [qemu-xen master] block: Don't mark node clean after failed flush
Next by thread: [Xen-changelog] [qemu-xen master] aio-posix: simplify aio_epoll_update
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.