Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path

From: Igor Mammedov <imammedo@redhat.com>
To: John Snow <jsnow@redhat.com>
Cc: Fam Zheng <famz@redhat.com>, qemu-devel@nongnu.org, ehabkost@redhat.com
Subject: Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path
Date: Tue, 2 Aug 2016 10:14:53 +0200	[thread overview]
Message-ID: <20160802101453.418ab9c4@nial.brq.redhat.com> (raw)
In-Reply-To: <d43f17ef-1495-95a3-7047-3bf4ac419e5b@redhat.com>

On Tue, 2 Aug 2016 00:00:27 -0400
John Snow <jsnow@redhat.com> wrote:

> On 08/01/2016 11:41 PM, Fam Zheng wrote:
> > Since 69382d8b (qdev: Fix object reference leak in case device.realize()
> > fails), object_property_set_bool could release the object. The error
> > path wants the type name, so hold an reference before realizing it.
> >
> > Cc: Igor Mammedov <imammedo@redhat.com>
> > Signed-off-by: Fam Zheng <famz@redhat.com>
> > ---
> >  hw/core/qdev.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> > index ee4a083..5783442 100644
> > --- a/hw/core/qdev.c
> > +++ b/hw/core/qdev.c
> > @@ -354,12 +354,14 @@ void qdev_init_nofail(DeviceState *dev)
> >
> >      assert(!dev->realized);
> >
> > +    object_ref(OBJECT(dev));
> >      object_property_set_bool(OBJECT(dev), true, "realized", &err);
> >      if (err) {
> >          error_reportf_err(err, "Initialization of device %s failed: ",
> >                            object_get_typename(OBJECT(dev)));
> >          exit(1);
> >      }
> > +    object_unref(OBJECT(dev));
> >  }
> >
> >  void qdev_machine_creation_done(void)
> >  
> 
> Thanks :)
> 
> (For the list: this fixes qcow2 iotest 051. This is for-2.7.)
I don't see any error at 'make check' time,
could you provide reproducer CLI?

> 
> Reviewed-by: John Snow <jsnow@redhat.com>