From patchwork Fri Sep 10 10:27:03 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin Wolf X-Patchwork-Id: 64374 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id C3A06B710F for ; Fri, 10 Sep 2010 20:33:46 +1000 (EST) Received: from localhost ([127.0.0.1]:33140 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Ou0vQ-0005VP-24 for incoming@patchwork.ozlabs.org; Fri, 10 Sep 2010 06:33:44 -0400 Received: from [140.186.70.92] (port=36886 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Ou0pB-0002p7-Fp for qemu-devel@nongnu.org; Fri, 10 Sep 2010 06:27:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1Ou0pA-0000o8-4A for qemu-devel@nongnu.org; Fri, 10 Sep 2010 06:27:17 -0400 Received: from mo-p00-ob.rzone.de ([81.169.146.162]:57157) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Ou0p9-0000mp-Ps for qemu-devel@nongnu.org; Fri, 10 Sep 2010 06:27:16 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1284114432; l=1338; s=domk; d=kevin-wolf.de; h=References:In-Reply-To:Date:Subject:Cc:To:From:X-RZG-CLASS-ID: X-RZG-AUTH; bh=7YfRoB9RKre8CxYPWwiSNpF0LYo=; b=b/5VvLi3+jhlm4ZDjuRNv4YDMOfWj+WAeHeLY8mboiGQ0VDaNHZkSZf9SM/osuj0mfl mCUyYnYjTlPcRb5eTAe+vODzcaTum66PScup6Q38jwlgeW1mLN2fecW4p1sbyrTQ5XONW n3w11YgK5rrHddoMx8RNlJ0SfrIEAAeLMpw= X-RZG-AUTH: :IW0NeWCjfulXIi4BrEKXhgYy2jE0QmIac4DjsXgwMU4hx49MjW4BbKOvd+vs6JN7Zw== X-RZG-CLASS-ID: mo00 Received: from localhost.localdomain (pD9E4C0A3.dip.t-dialin.net [217.228.192.163]) by post.strato.de (mrclete mo46) (RZmta 23.5) with ESMTP id D041a0m8AA9Qn6 ; Fri, 10 Sep 2010 12:27:11 +0200 (MEST) From: Kevin Wolf To: qemu-devel@nongnu.org Date: Fri, 10 Sep 2010 12:27:03 +0200 Message-Id: <1284114424-11960-3-git-send-email-mail@kevin-wolf.de> X-Mailer: git-send-email 1.6.0.2 In-Reply-To: <1284114424-11960-1-git-send-email-mail@kevin-wolf.de> References: <1284114424-11960-1-git-send-email-mail@kevin-wolf.de> X-detected-operating-system: by eggs.gnu.org: Solaris 10 (beta) Cc: Kevin Wolf Subject: [Qemu-devel] [PATCH 2/3] vvfat: Fix double free for opening the image rw X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Allocation and deallocation of bs->opaque is not in the control of a block driver. Therefore it should not set bs->opaque to a data structure used by another bs, or closing the image will lead to a double free. Signed-off-by: Kevin Wolf --- block/vvfat.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/block/vvfat.c b/block/vvfat.c index 5898d66..0772037 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -2768,12 +2768,12 @@ static int vvfat_is_allocated(BlockDriverState *bs, static int write_target_commit(BlockDriverState *bs, int64_t sector_num, const uint8_t* buffer, int nb_sectors) { - BDRVVVFATState* s = bs->opaque; + BDRVVVFATState* s = *((BDRVVVFATState**) bs->opaque); return try_commit(s); } static void write_target_close(BlockDriverState *bs) { - BDRVVVFATState* s = bs->opaque; + BDRVVVFATState* s = *((BDRVVVFATState**) bs->opaque); bdrv_delete(s->qcow); free(s->qcow_filename); } @@ -2816,7 +2816,8 @@ static int enable_write_target(BDRVVVFATState *s) s->bs->backing_hd = calloc(sizeof(BlockDriverState), 1); s->bs->backing_hd->drv = &vvfat_write_target; - s->bs->backing_hd->opaque = s; + s->bs->backing_hd->opaque = qemu_malloc(sizeof(void*)); + *(void**)s->bs->backing_hd->opaque = s; return 0; }