bugfix: fix eventfds may double free when vm_id reused in ivshmem
As the ivshmem Server-Client Protol describes, when a client disconnects from the server, server sends disconnect notifications to the other clients. And the other clients will free the eventfds of the disconnected client according to the client ID. If the client ID is reused, the eventfds may be double freed. It will be solved by setting eventfds to NULL after freeing and allocating memory for it when it's used. Signed-off-by: Peng Liang <liangpeng10@huawei.com> Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
This commit is contained in:
Chen Qun
yezengruan
parent
9c3e999acd
commit
4dc229df1a
48
bugfix-fix-eventfds-may-double-free-when-vm_id-reuse.patch
Normal file
48
bugfix-fix-eventfds-may-double-free-when-vm_id-reuse.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 02a17066ac3dfb5e53b72b15a80643154990191b Mon Sep 17 00:00:00 2001
|
||||
From: jiangdongxu <jiangdongxu1@huawei.com>
|
||||
Date: Thu, 10 Feb 2022 21:50:28 +0800
|
||||
Subject: [PATCH] bugfix: fix eventfds may double free when vm_id reused in
|
||||
ivshmem
|
||||
|
||||
As the ivshmem Server-Client Protol describes, when a
|
||||
client disconnects from the server, server sends disconnect
|
||||
notifications to the other clients. And the other clients
|
||||
will free the eventfds of the disconnected client according
|
||||
to the client ID. If the client ID is reused, the eventfds
|
||||
may be double freed.
|
||||
|
||||
It will be solved by setting eventfds to NULL after freeing
|
||||
and allocating memory for it when it's used.
|
||||
|
||||
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
|
||||
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
|
||||
---
|
||||
hw/misc/ivshmem.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
|
||||
index 1ba4a98377..05f06ed6cf 100644
|
||||
--- a/hw/misc/ivshmem.c
|
||||
+++ b/hw/misc/ivshmem.c
|
||||
@@ -400,6 +400,7 @@ static void close_peer_eventfds(IVShmemState *s, int posn)
|
||||
}
|
||||
|
||||
g_free(s->peers[posn].eventfds);
|
||||
+ s->peers[posn].eventfds = NULL;
|
||||
s->peers[posn].nb_eventfds = 0;
|
||||
}
|
||||
|
||||
@@ -530,6 +531,10 @@ static void process_msg_connect(IVShmemState *s, uint16_t posn, int fd,
|
||||
close(fd);
|
||||
return;
|
||||
}
|
||||
+ if (peer->eventfds == NULL) {
|
||||
+ peer->eventfds = g_new0(EventNotifier, s->vectors);
|
||||
+ peer->nb_eventfds = 0;
|
||||
+ }
|
||||
vector = peer->nb_eventfds++;
|
||||
|
||||
IVSHMEM_DPRINTF("eventfds[%d][%d] = %d\n", posn, vector, fd);
|
||||
--
|
||||
2.27.0
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user