From 0ed39f3df2d3cf7f0fc3468b057f952a3b251ad9 Mon Sep 17 00:00:00 2001 From: Fam Zheng Date: Mon, 16 Nov 2015 14:32:14 +0800 Subject: [PATCH] aio-epoll: Fix use-after-free of node aio_epoll_update needs the fields in node, so delay the free. Reported-by: Paolo Bonzini Signed-off-by: Fam Zheng Message-id: 1447655534-13974-1-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi --- aio-posix.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/aio-posix.c b/aio-posix.c index 06148a9..482b316 100644 --- a/aio-posix.c +++ b/aio-posix.c @@ -210,6 +210,7 @@ void aio_set_fd_handler(AioContext *ctx, { AioHandler *node; bool is_new = false; + bool deleted = false; node = find_aio_handler(ctx, fd); @@ -228,7 +229,7 @@ void aio_set_fd_handler(AioContext *ctx, * releasing the walking_handlers lock. */ QLIST_REMOVE(node, node); - g_free(node); + deleted = true; } } } else { @@ -253,6 +254,9 @@ void aio_set_fd_handler(AioContext *ctx, aio_epoll_update(ctx, node, is_new); aio_notify(ctx); + if (deleted) { + g_free(node); + } } void aio_set_event_notifier(AioContext *ctx, -- 2.7.4