On Tue, Feb 09, 2021 at 04:37:54PM +0100, Eugenio P?rez
wrote:> +/*
> + * Creates vhost shadow virtqueue, and instruct vhost device to use the
shadow
> + * methods and file descriptors.
> + */
> +VhostShadowVirtqueue *vhost_shadow_vq_new(struct vhost_dev *dev, int idx)
> +{
> + g_autofree VhostShadowVirtqueue *svq = g_new0(VhostShadowVirtqueue,
1);
> + int r;
> +
> + r = event_notifier_init(&svq->kick_notifier, 0);
> + if (r != 0) {
> + error_report("Couldn't create kick event notifier:
%s",
> + strerror(errno));
> + goto err_init_kick_notifier;
> + }
> +
> + r = event_notifier_init(&svq->call_notifier, 0);
> + if (r != 0) {
> + error_report("Couldn't create call event notifier:
%s",
> + strerror(errno));
> + goto err_init_call_notifier;
> + }
> +
> + return svq;
Use-after-free due to g_autofree. I think this should be:
return g_steal_pointer(&svq)
https://developer.gnome.org/glib/stable/glib-Memory-Allocation.html#g-steal-pointer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL:
<http://lists.linuxfoundation.org/pipermail/virtualization/attachments/20210217/da1da659/attachment.sig>