[1/3] net/colo: fix memory double free error

Message ID	1487577721-31084-2-git-send-email-zhang.zhanghailiang@huawei.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: zhanghailiang <zhang.zhanghailiang@huawei.com> To: <jasowang@redhat.com>, <zhangchen.fnst@cn.fujitsu.com>, <lizhijian@cn.fujitsu.com> Date: Mon, 20 Feb 2017 16:01:59 +0800 Message-ID: <1487577721-31084-2-git-send-email-zhang.zhanghailiang@huawei.com> In-Reply-To: <1487577721-31084-1-git-send-email-zhang.zhanghailiang@huawei.com> References: <1487577721-31084-1-git-send-email-zhang.zhanghailiang@huawei.com> MIME-Version: 1.0 Content-Type: text/plain Subject: [Qemu-devel] [PATCH 1/3] net/colo: fix memory double free error Precedence: list Cc: zhanghailiang <zhang.zhanghailiang@huawei.com>, xuquan8@huawei.com, qemu-devel@nongnu.org, pss.wulizhen@huawei.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Message ID

1487577721-31084-2-git-send-email-zhang.zhanghailiang@huawei.com

State

New

Headers

From: zhanghailiang <zhang.zhanghailiang@huawei.com>
To: <jasowang@redhat.com>, <zhangchen.fnst@cn.fujitsu.com>,
	<lizhijian@cn.fujitsu.com>
Date: Mon, 20 Feb 2017 16:01:59 +0800
Message-ID: <1487577721-31084-2-git-send-email-zhang.zhanghailiang@huawei.com>
In-Reply-To: <1487577721-31084-1-git-send-email-zhang.zhanghailiang@huawei.com>
References: <1487577721-31084-1-git-send-email-zhang.zhanghailiang@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
Subject: [Qemu-devel] [PATCH 1/3] net/colo: fix memory double free error
Precedence: list
Cc: zhanghailiang <zhang.zhanghailiang@huawei.com>, xuquan8@huawei.com,
	qemu-devel@nongnu.org, pss.wulizhen@huawei.com
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Commit Message

Zhanghailiang Feb. 20, 2017, 8:01 a.m. UTC

The 'primary_list' and 'secondary_list' members of struct Connection
is not allocated through dynamically g_queue_new(), but we free it by using
g_queue_free(), which will lead to a double-free bug.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
---
 net/colo.c | 2 --
 1 file changed, 2 deletions(-)

Comments

Zhang Chen Feb. 21, 2017, 2:25 a.m. UTC | #1

On 02/20/2017 04:01 PM, zhanghailiang wrote:
> The 'primary_list' and 'secondary_list' members of struct Connection
> is not allocated through dynamically g_queue_new(), but we free it by using
> g_queue_free(), which will lead to a double-free bug.
>
> Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
> ---
>   net/colo.c | 2 --
>   1 file changed, 2 deletions(-)
>
> diff --git a/net/colo.c b/net/colo.c
> index 6a6eacd..7d5c423 100644
> --- a/net/colo.c
> +++ b/net/colo.c
> @@ -147,9 +147,7 @@ void connection_destroy(void *opaque)
>       Connection *conn = opaque;
>   
>       g_queue_foreach(&conn->primary_list, packet_destroy, NULL);
> -    g_queue_free(&conn->primary_list);
>       g_queue_foreach(&conn->secondary_list, packet_destroy, NULL);
> -    g_queue_free(&conn->secondary_list);

I think we need use g_queue_clear () here.

void
g_queue_clear (GQueue *queue);
Removes all the elements in queue . If queue elements contain 
dynamically-allocated memory, they should be freed first.

Thanks
Zhang Chen

>       g_slice_free(Connection, conn);
>   }
>

Zhanghailiang Feb. 21, 2017, 3:06 a.m. UTC | #2

On 2017/2/21 10:25, Zhang Chen wrote:
>
>
> On 02/20/2017 04:01 PM, zhanghailiang wrote:
>> The 'primary_list' and 'secondary_list' members of struct Connection
>> is not allocated through dynamically g_queue_new(), but we free it by using
>> g_queue_free(), which will lead to a double-free bug.
>>
>> Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
>> ---
>>    net/colo.c | 2 --
>>    1 file changed, 2 deletions(-)
>>
>> diff --git a/net/colo.c b/net/colo.c
>> index 6a6eacd..7d5c423 100644
>> --- a/net/colo.c
>> +++ b/net/colo.c
>> @@ -147,9 +147,7 @@ void connection_destroy(void *opaque)
>>        Connection *conn = opaque;
>>
>>        g_queue_foreach(&conn->primary_list, packet_destroy, NULL);
>> -    g_queue_free(&conn->primary_list);
>>        g_queue_foreach(&conn->secondary_list, packet_destroy, NULL);
>> -    g_queue_free(&conn->secondary_list);
>
> I think we need use g_queue_clear () here.
>

Ha, you are right, my original modification will introduce memory leak.
Will fix in next version.

> void
> g_queue_clear (GQueue *queue);
> Removes all the elements in queue . If queue elements contain
> dynamically-allocated memory, they should be freed first.
>
> Thanks
> Zhang Chen
>
>>        g_slice_free(Connection, conn);
>>    }
>>
>

diff --git a/net/colo.c b/net/colo.c
index 6a6eacd..7d5c423 100644
--- a/net/colo.c
+++ b/net/colo.c
@@ -147,9 +147,7 @@  void connection_destroy(void *opaque)
     Connection *conn = opaque;
 
     g_queue_foreach(&conn->primary_list, packet_destroy, NULL);
-    g_queue_free(&conn->primary_list);
     g_queue_foreach(&conn->secondary_list, packet_destroy, NULL);
-    g_queue_free(&conn->secondary_list);
     g_slice_free(Connection, conn);
 }

[1/3] net/colo: fix memory double free error

Commit Message

Comments

Patch