[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL V2 29/33] net/colo-compare.c: Correct ordering in complete and
From: |
Peter Maydell |
Subject: |
Re: [PULL V2 29/33] net/colo-compare.c: Correct ordering in complete and finalize |
Date: |
Thu, 25 Jun 2020 10:30:24 +0100 |
On Thu, 18 Jun 2020 at 14:23, Jason Wang <jasowang@redhat.com> wrote:
>
> From: Lukas Straub <lukasstraub2@web.de>
>
> In colo_compare_complete, insert CompareState into net_compares
> only after everything has been initialized.
> In colo_compare_finalize, remove CompareState from net_compares
> before anything is deinitialized.
Hi; this code-motion seems to have prompted Coverity to
discover a possible deref-of-NULL-pointer (cID 1429969):
> @@ -1409,6 +1397,19 @@ static void colo_compare_finalize(Object *obj)
> }
> qemu_mutex_unlock(&colo_compare_mutex);
>
> + qemu_chr_fe_deinit(&s->chr_pri_in, false);
> + qemu_chr_fe_deinit(&s->chr_sec_in, false);
> + qemu_chr_fe_deinit(&s->chr_out, false);
> + if (s->notify_dev) {
> + qemu_chr_fe_deinit(&s->chr_notify_dev, false);
> + }
> +
> + if (s->iothread) {
Here we check s->iothread, which implies that it could be NULL...
> + colo_compare_timer_del(s);
> + }
> +
> + qemu_bh_delete(s->event_bh);
> +
> AioContext *ctx = iothread_get_aio_context(s->iothread);
...but here we pass it to iothread_get_aio_context(), which
unconditionally dereferences it, so will crash if it is NULL.
Either we need to avoid calling this if s->iothread is NULL,
or if it can't ever be NULL then the earlier NULL check was
pointless and can be removed.
> aio_context_acquire(ctx);
> AIO_WAIT_WHILE(ctx, !s->out_sendco.done);
> --
> 2.5.0
thanks
-- PMM
- [PULL V2 19/33] net: cadnece_gem: Update irq_read_clear field of designcfg_debug1 reg, (continued)
- [PULL V2 19/33] net: cadnece_gem: Update irq_read_clear field of designcfg_debug1 reg, Jason Wang, 2020/06/18
- [PULL V2 21/33] net: cadence_gem: TX_LAST bit should be set by guest, Jason Wang, 2020/06/18
- [PULL V2 22/33] net: cadence_gem: Fix RX address filtering, Jason Wang, 2020/06/18
- [PULL V2 23/33] net: use peer when purging queue in qemu_flush_or_purge_queue_packets(), Jason Wang, 2020/06/18
- [PULL V2 24/33] net/colo-compare.c: Create event_bh with the right AioContext, Jason Wang, 2020/06/18
- [PULL V2 25/33] chardev/char.c: Use qemu_co_sleep_ns if in coroutine, Jason Wang, 2020/06/18
- [PULL V2 26/33] net/colo-compare.c: Fix deadlock in compare_chr_send, Jason Wang, 2020/06/18
- [PULL V2 27/33] net/colo-compare.c: Only hexdump packets if tracing is enabled, Jason Wang, 2020/06/18
- [PULL V2 28/33] net/colo-compare.c: Check that colo-compare is active, Jason Wang, 2020/06/18
- [PULL V2 29/33] net/colo-compare.c: Correct ordering in complete and finalize, Jason Wang, 2020/06/18
- Re: [PULL V2 29/33] net/colo-compare.c: Correct ordering in complete and finalize,
Peter Maydell <=
- [PULL V2 31/33] hw/net/e1000e: Do not abort() on invalid PSRCTL register value, Jason Wang, 2020/06/18
- [PULL V2 32/33] net: Drop the legacy "name" parameter from the -net option, Jason Wang, 2020/06/18
- [PULL V2 33/33] net: Drop the NetLegacy structure, always use Netdev instead, Jason Wang, 2020/06/18
- [PULL V2 30/33] colo-compare: Fix memory leak in packet_enqueue(), Jason Wang, 2020/06/18
- Re: [PULL V2 00/33] Net patches, no-reply, 2020/06/18
- Re: [PULL V2 00/33] Net patches, Peter Maydell, 2020/06/19