| Message ID | 20170630160422.14842-3-maxime.coquelin@redhat.com |
|---|---|
| State | New |
| Headers | show |
----- Original Message ----- > If the backend sends a request just before closing the socket, > the aio dispatcher might schedule its reading after the vhost > device has been cleaned, leading to a NULL pointer dereference > in slave_read(); > > vhost_user_cleanup() already closes the socket but it is not > enough, the handler has to be unregistered. > > Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > hw/virtio/vhost-user.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c > index 958ee09..2203011 100644 > --- a/hw/virtio/vhost-user.c > +++ b/hw/virtio/vhost-user.c > @@ -779,6 +779,7 @@ static int vhost_user_cleanup(struct vhost_dev *dev) > > u = dev->opaque; > if (u->slave_fd >= 0) { > + qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL); > close(u->slave_fd); > u->slave_fd = -1; > } > -- > 2.9.4 > >
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index 958ee09..2203011 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -779,6 +779,7 @@ static int vhost_user_cleanup(struct vhost_dev *dev) u = dev->opaque; if (u->slave_fd >= 0) { + qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL); close(u->slave_fd); u->slave_fd = -1; }
If the backend sends a request just before closing the socket, the aio dispatcher might schedule its reading after the vhost device has been cleaned, leading to a NULL pointer dereference in slave_read(); vhost_user_cleanup() already closes the socket but it is not enough, the handler has to be unregistered. Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> --- hw/virtio/vhost-user.c | 1 + 1 file changed, 1 insertion(+)