From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
qemu-stable@nongnu.org, Markus Armbruster <armbru@redhat.com>
Subject: [PATCH 75/97] pr-manager: Fix invalid g_free() crash bug
Date: Tue, 1 Oct 2019 18:45:54 -0500 [thread overview]
Message-ID: <20191001234616.7825-76-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <20191001234616.7825-1-mdroth@linux.vnet.ibm.com>
From: Markus Armbruster <armbru@redhat.com>
pr_manager_worker() passes its @opaque argument to g_free(). Wrong;
it points to pr_manager_worker()'s automatic @data. Broken when
commit 2f3a7ab39be converted @data from heap- to stack-allocated. Fix
by deleting the g_free().
Fixes: 2f3a7ab39bec4ba8022dc4d42ea641165b004e3e
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 6b9d62c2a9e83bbad73fb61406f0ff69b46ff6f3)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
scsi/pr-manager.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/scsi/pr-manager.c b/scsi/pr-manager.c
index d9f4e8c3ad..227bdfaad2 100644
--- a/scsi/pr-manager.c
+++ b/scsi/pr-manager.c
@@ -38,7 +38,6 @@ static int pr_manager_worker(void *opaque)
int fd = data->fd;
int r;
- g_free(data);
trace_pr_manager_run(fd, hdr->cmdp[0], hdr->cmdp[1]);
/* The reference was taken in pr_manager_execute. */
--
2.17.1
next prev parent reply other threads:[~2019-10-02 1:41 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-01 23:44 [PATCH 00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10 Michael Roth
2019-10-01 23:44 ` [PATCH 01/97] qcow2: Avoid COW during metadata preallocation Michael Roth
2019-10-01 23:44 ` [PATCH 02/97] qcow2: Add errp to preallocate_co() Michael Roth
2019-10-01 23:44 ` [PATCH 03/97] qcow2: Fix full preallocation with external data file Michael Roth
2019-10-01 23:44 ` [PATCH 04/97] megasas: fix mapped frame size Michael Roth
2019-10-01 23:44 ` [PATCH 05/97] qcow2: Fix qcow2_make_empty() with external data file Michael Roth
2019-10-01 23:44 ` [PATCH 06/97] block: Fix AioContext switch for bs->drv == NULL Michael Roth
2019-10-01 23:44 ` [PATCH 07/97] cutils: Fix size_to_str() on 32-bit platforms Michael Roth
2019-10-01 23:44 ` [PATCH 08/97] Makefile: add nit-picky mode to sphinx-build Michael Roth
2019-10-01 23:44 ` [PATCH 09/97] docs/interop/bitmaps: rewrite and modernize doc Michael Roth
2019-10-01 23:44 ` [PATCH 10/97] spapr/xive: fix EQ page addresses above 64GB Michael Roth
2019-10-01 23:44 ` [PATCH 11/97] kbd-state: fix autorepeat handling Michael Roth
2019-10-01 23:44 ` [PATCH 12/97] usb-tablet: fix serial compat property Michael Roth
2019-10-01 23:44 ` [PATCH 13/97] block/file-posix: Unaligned O_DIRECT block-status Michael Roth
2019-10-01 23:44 ` [PATCH 14/97] iotests: Test unaligned raw images with O_DIRECT Michael Roth
2019-10-01 23:44 ` [PATCH 15/97] s390x/cpumodel: ignore csske for expansion Michael Roth
2019-10-01 23:44 ` [PATCH 16/97] blockdev-backup: don't check aio_context too early Michael Roth
2019-10-01 23:44 ` [PATCH 17/97] block: Drain source node in bdrv_replace_node() Michael Roth
2019-10-01 23:44 ` [PATCH 18/97] iotests: Test commit job start with concurrent I/O Michael Roth
2019-10-01 23:44 ` [PATCH 19/97] iotests.py: do not use infinite waits Michael Roth
2019-10-01 23:44 ` [PATCH 20/97] QEMUMachine: add events_wait method Michael Roth
2019-10-01 23:45 ` [PATCH 21/97] iotests.py: Fix VM.run_job Michael Roth
2019-10-01 23:45 ` [PATCH 22/97] iotests.py: rewrite run_job to be pickier Michael Roth
2019-10-01 23:45 ` [PATCH 23/97] iotests: add iotest 256 for testing blockdev-backup across iothread contexts Michael Roth
2019-10-01 23:45 ` [PATCH 24/97] migration/dirty-bitmaps: change bitmap enumeration method Michael Roth
2019-10-01 23:45 ` [PATCH 25/97] vhost: fix vhost_log size overflow during migration Michael Roth
2019-10-01 23:45 ` [PATCH 26/97] target/ppc: Fix xvabs[sd]p, xvnabs[sd]p, xvneg[sd]p, xvcpsgn[sd]p Michael Roth
2019-10-01 23:45 ` [PATCH 27/97] target/ppc: Fix xvxsigdp Michael Roth
2019-10-01 23:45 ` [PATCH 28/97] target/ppc: Fix xxbrq, xxbrw Michael Roth
2019-10-01 23:45 ` [PATCH 29/97] target/ppc: Fix vsum2sws Michael Roth
2019-10-01 23:45 ` [PATCH 30/97] target/ppc: Fix lxvw4x, lxvh8x and lxvb16x Michael Roth
2019-10-01 23:45 ` [PATCH 31/97] q35: Revert to kernel irqchip Michael Roth
2019-10-01 23:45 ` [PATCH 32/97] vl: Fix -drive / -blockdev persistent reservation management Michael Roth
2019-10-01 23:45 ` [PATCH 33/97] target/i386: add MDS-NO feature Michael Roth
2019-10-01 23:45 ` [PATCH 34/97] target/i386: define md-clear bit Michael Roth
2019-10-01 23:45 ` [PATCH 35/97] docs: recommend use of md-clear feature on all Intel CPUs Michael Roth
2019-10-01 23:45 ` [PATCH 36/97] virtio-pci: fix missing device properties Michael Roth
2019-10-01 23:45 ` [PATCH 37/97] usbredir: fix buffer-overflow on vmload Michael Roth
2019-10-01 23:45 ` [PATCH 38/97] virtio-balloon: fix QEMU 4.0 config size migration incompatibility Michael Roth
2019-10-01 23:45 ` [PATCH 39/97] docs/interop/bitmaps.rst: Fix typos Michael Roth
2019-10-01 23:45 ` [PATCH 40/97] sphinx: add qmp_lexer Michael Roth
2019-10-01 23:45 ` [PATCH 41/97] docs/bitmaps: use QMP lexer instead of json Michael Roth
2019-10-01 23:45 ` [PATCH 42/97] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs Michael Roth
2019-10-01 23:45 ` [PATCH 43/97] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory Michael Roth
2019-10-01 23:45 ` [PATCH 44/97] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[] Michael Roth
2019-10-01 23:45 ` [PATCH 45/97] ioapic: kvm: Skip route updates for masked pins Michael Roth
2019-10-01 23:45 ` [PATCH 46/97] i386/acpi: show PCI Express bus on pxb-pcie expanders Michael Roth
2019-10-01 23:45 ` [PATCH 47/97] virtio-balloon: Fix wrong sign extension of PFNs Michael Roth
2019-10-01 23:45 ` [PATCH 48/97] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE Michael Roth
2019-10-01 23:45 ` [PATCH 49/97] virtio-balloon: Simplify deflate with pbp Michael Roth
2019-10-01 23:45 ` [PATCH 50/97] virtio-balloon: Better names for offset variables in inflate/deflate code Michael Roth
2019-10-01 23:45 ` [PATCH 51/97] virtio-balloon: Rework pbp tracking data Michael Roth
2019-10-01 23:45 ` [PATCH 52/97] virtio-balloon: Use temporary PBP only Michael Roth
2019-10-01 23:45 ` [PATCH 53/97] virtio-balloon: don't track subpages for the PBP Michael Roth
2019-10-01 23:45 ` [PATCH 54/97] virtio-balloon: free pbp more aggressively Michael Roth
2019-10-01 23:45 ` [PATCH 55/97] i386/acpi: fix gint overflow in crs_range_compare Michael Roth
2019-10-01 23:45 ` [PATCH 56/97] tpm: Exit in reset when backend indicates failure Michael Roth
2019-10-01 23:45 ` [PATCH 57/97] tpm_emulator: Translate TPM error codes to strings Michael Roth
2019-10-01 23:45 ` [PATCH 58/97] block/backup: simplify backup_incremental_init_copy_bitmap Michael Roth
2019-10-01 23:45 ` [PATCH 59/97] block/backup: move to copy_bitmap with granularity Michael Roth
2019-10-01 23:45 ` [PATCH 60/97] block/backup: refactor and tolerate unallocated cluster skipping Michael Roth
2019-10-01 23:45 ` [PATCH 61/97] block/backup: unify different modes code path Michael Roth
2019-10-01 23:45 ` [PATCH 62/97] block/backup: refactor: split out backup_calculate_cluster_size Michael Roth
2019-10-01 23:45 ` [PATCH 63/97] backup: Copy only dirty areas Michael Roth
2019-10-01 23:45 ` [PATCH 64/97] iotests: Test backup job with two guest writes Michael Roth
2019-10-01 23:45 ` [PATCH 65/97] util/hbitmap: update orig_size on truncate Michael Roth
2019-10-01 23:45 ` [PATCH 66/97] iotests: Test incremental backup after truncation Michael Roth
2019-10-01 23:45 ` [PATCH 67/97] mirror: Only mirror granularity-aligned chunks Michael Roth
2019-10-01 23:45 ` [PATCH 68/97] iotests: Test unaligned blocking mirror write Michael Roth
2019-10-01 23:45 ` [PATCH 69/97] block/backup: disable copy_range for compressed backup Michael Roth
2019-10-01 23:45 ` [PATCH 70/97] Revert "ide/ahci: Check for -ECANCELED in aio callbacks" Michael Roth
2019-10-01 23:45 ` [PATCH 71/97] qcow2: Fix the calculation of the maximum L2 cache size Michael Roth
2019-10-01 23:45 ` [PATCH 72/97] dma-helpers: ensure AIO callback is invoked after cancellation Michael Roth
2019-10-01 23:45 ` [PATCH 73/97] target/arm: Don't abort on M-profile exception return in linux-user mode Michael Roth
2019-10-01 23:45 ` [PATCH 74/97] xen-bus: Fix backend state transition on device reset Michael Roth
2019-10-01 23:45 ` Michael Roth [this message]
2019-10-01 23:45 ` [PATCH 76/97] iotests: add testing shim for script-style python tests Michael Roth
2019-10-01 23:45 ` [PATCH 77/97] vpc: Return 0 from vpc_co_create() on success Michael Roth
2019-10-01 23:45 ` [PATCH 78/97] iotests: Add supported protocols to execute_test() Michael Roth
2019-10-01 23:45 ` [PATCH 79/97] iotests: Restrict file Python tests to file Michael Roth
2019-10-01 23:45 ` [PATCH 80/97] iotests: Restrict nbd Python tests to nbd Michael Roth
2019-10-01 23:46 ` [PATCH 81/97] iotests: Test blockdev-create for vpc Michael Roth
2019-10-01 23:46 ` [PATCH 82/97] libvhost-user: fix SLAVE_SEND_FD handling Michael Roth
2019-10-01 23:46 ` [PATCH 83/97] block/create: Do not abort if a block driver is not available Michael Roth
2019-10-01 23:46 ` [PATCH 84/97] block/nfs: tear down aio before nfs_close Michael Roth
2019-10-01 23:46 ` [PATCH 85/97] blockjob: update nodes head while removing all bdrv Michael Roth
2019-10-01 23:46 ` [PATCH 86/97] curl: Keep pointer to the CURLState in CURLSocket Michael Roth
2019-10-01 23:46 ` [PATCH 87/97] curl: Keep *socket until the end of curl_sock_cb() Michael Roth
2019-10-01 23:46 ` [PATCH 88/97] curl: Check completion in curl_multi_do() Michael Roth
2019-10-01 23:46 ` [PATCH 89/97] curl: Pass CURLSocket to curl_multi_do() Michael Roth
2019-10-01 23:46 ` [PATCH 90/97] curl: Report only ready sockets Michael Roth
2019-10-01 23:46 ` [PATCH 91/97] curl: Handle success in multi_check_completion Michael Roth
2019-10-01 23:46 ` [PATCH 92/97] curl: Check curl_multi_add_handle()'s return code Michael Roth
2019-10-01 23:46 ` [PATCH 93/97] slirp: Fix heap overflow in ip_reass on big packet input Michael Roth
2019-10-01 23:46 ` [PATCH 94/97] slirp: ip_reass: Fix use after free Michael Roth
2019-10-01 23:46 ` [PATCH 95/97] s390: PCI: fix IOMMU region init Michael Roth
2019-10-01 23:46 ` [PATCH 96/97] hw/core/loader: Fix possible crash in rom_copy() Michael Roth
2019-10-01 23:46 ` [PATCH 97/97] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068) Michael Roth
2019-10-02 4:40 ` [PATCH 00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10 Thomas Huth
2019-10-03 18:56 ` Michael Roth
2019-10-03 22:43 ` Philippe Mathieu-Daudé
2019-10-07 15:57 ` Alexandr Iarygin
2019-10-08 13:04 ` Philippe Mathieu-Daudé
2019-10-09 14:17 ` Michael Roth
2019-10-09 14:23 ` Philippe Mathieu-Daudé
2019-10-17 22:19 ` Michael Roth
2019-10-11 9:51 ` Anthony PERARD
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001234616.7825-76-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=armbru@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.