49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
From 02a17066ac3dfb5e53b72b15a80643154990191b Mon Sep 17 00:00:00 2001
|
|
From: jiangdongxu <jiangdongxu1@huawei.com>
|
|
Date: Thu, 10 Feb 2022 21:50:28 +0800
|
|
Subject: [PATCH] bugfix: fix eventfds may double free when vm_id reused in
|
|
ivshmem
|
|
|
|
As the ivshmem Server-Client Protol describes, when a
|
|
client disconnects from the server, server sends disconnect
|
|
notifications to the other clients. And the other clients
|
|
will free the eventfds of the disconnected client according
|
|
to the client ID. If the client ID is reused, the eventfds
|
|
may be double freed.
|
|
|
|
It will be solved by setting eventfds to NULL after freeing
|
|
and allocating memory for it when it's used.
|
|
|
|
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
|
|
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
|
|
---
|
|
hw/misc/ivshmem.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
|
|
index 1ba4a98377..05f06ed6cf 100644
|
|
--- a/hw/misc/ivshmem.c
|
|
+++ b/hw/misc/ivshmem.c
|
|
@@ -400,6 +400,7 @@ static void close_peer_eventfds(IVShmemState *s, int posn)
|
|
}
|
|
|
|
g_free(s->peers[posn].eventfds);
|
|
+ s->peers[posn].eventfds = NULL;
|
|
s->peers[posn].nb_eventfds = 0;
|
|
}
|
|
|
|
@@ -530,6 +531,10 @@ static void process_msg_connect(IVShmemState *s, uint16_t posn, int fd,
|
|
close(fd);
|
|
return;
|
|
}
|
|
+ if (peer->eventfds == NULL) {
|
|
+ peer->eventfds = g_new0(EventNotifier, s->vectors);
|
|
+ peer->nb_eventfds = 0;
|
|
+ }
|
|
vector = peer->nb_eventfds++;
|
|
|
|
IVSHMEM_DPRINTF("eventfds[%d][%d] = %d\n", posn, vector, fd);
|
|
--
|
|
2.27.0
|
|
|