pr-manager: Fix invalid g_free() crash bug

[Qemu-devel] [PATCH] pr-manager: Fix invalid g_free() crash bug

Posted by Markus Armbruster 4 years, 8 months ago

pr_manager_worker() passes its @opaque argument to g_free().  Wrong;
it points to pr_manager_worker()'s automatic @data.  Broken when
commit 2f3a7ab39be converted @data from heap- to stack-allocated.  Fix
by deleting the g_free().

Fixes: 2f3a7ab39bec4ba8022dc4d42ea641165b004e3e
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
 scsi/pr-manager.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scsi/pr-manager.c b/scsi/pr-manager.c
index ee43663576..0c866e8698 100644
--- a/scsi/pr-manager.c
+++ b/scsi/pr-manager.c
@@ -39,7 +39,6 @@ static int pr_manager_worker(void *opaque)
     int fd = data->fd;
     int r;
 
-    g_free(data);
     trace_pr_manager_run(fd, hdr->cmdp[0], hdr->cmdp[1]);
 
     /* The reference was taken in pr_manager_execute.  */
-- 
2.21.0

Re: [Qemu-devel] [PATCH] pr-manager: Fix invalid g_free() crash bug

Posted by Philippe Mathieu-Daudé 4 years, 8 months ago

On 8/22/19 3:38 PM, Markus Armbruster wrote:
> pr_manager_worker() passes its @opaque argument to g_free().  Wrong;
> it points to pr_manager_worker()'s automatic @data.  Broken when
> commit 2f3a7ab39be converted @data from heap- to stack-allocated.  Fix
> by deleting the g_free().
> 
> Fixes: 2f3a7ab39bec4ba8022dc4d42ea641165b004e3e
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
>  scsi/pr-manager.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/scsi/pr-manager.c b/scsi/pr-manager.c
> index ee43663576..0c866e8698 100644
> --- a/scsi/pr-manager.c
> +++ b/scsi/pr-manager.c
> @@ -39,7 +39,6 @@ static int pr_manager_worker(void *opaque)
>      int fd = data->fd;
>      int r;
>  
> -    g_free(data);
>      trace_pr_manager_run(fd, hdr->cmdp[0], hdr->cmdp[1]);
>  
>      /* The reference was taken in pr_manager_execute.  */
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Re: [Qemu-devel] [PATCH] pr-manager: Fix invalid g_free() crash bug

Posted by Paolo Bonzini 4 years, 8 months ago

On 22/08/19 15:38, Markus Armbruster wrote:
> pr_manager_worker() passes its @opaque argument to g_free().  Wrong;
> it points to pr_manager_worker()'s automatic @data.  Broken when
> commit 2f3a7ab39be converted @data from heap- to stack-allocated.  Fix
> by deleting the g_free().
> 
> Fixes: 2f3a7ab39bec4ba8022dc4d42ea641165b004e3e
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
>  scsi/pr-manager.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/scsi/pr-manager.c b/scsi/pr-manager.c
> index ee43663576..0c866e8698 100644
> --- a/scsi/pr-manager.c
> +++ b/scsi/pr-manager.c
> @@ -39,7 +39,6 @@ static int pr_manager_worker(void *opaque)
>      int fd = data->fd;
>      int r;
>  
> -    g_free(data);
>      trace_pr_manager_run(fd, hdr->cmdp[0], hdr->cmdp[1]);
>  
>      /* The reference was taken in pr_manager_execute.  */
> 

Acked-by: Paolo Bonzini <pbonzini@redhat.com>

Since I am disappearing soon, I wouldn't mind if the block layer people
picked this up.

Paolo

Re: [Qemu-devel] [PATCH] pr-manager: Fix invalid g_free() crash bug

Posted by Kevin Wolf 4 years, 7 months ago

Am 22.08.2019 um 15:38 hat Markus Armbruster geschrieben:
> pr_manager_worker() passes its @opaque argument to g_free().  Wrong;
> it points to pr_manager_worker()'s automatic @data.  Broken when
> commit 2f3a7ab39be converted @data from heap- to stack-allocated.  Fix
> by deleting the g_free().
> 
> Fixes: 2f3a7ab39bec4ba8022dc4d42ea641165b004e3e
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Markus Armbruster <armbru@redhat.com>

Thanks, applied to the block branch.

Kevin