On 05/18/2013 02:22 AM, Sergey Fionov wrote:
> Hello,
>
> There is double unref virChrdevOpen() (src/conf/virchrdev.c) when error occured.
>
> if (virStreamRef(st) < 0) {
> virMutexUnlock(&devs->lock);
> return -1;
> }
Thanks again for the report. I didn't see a reply to this email; so for
closure, I'll point out that it was fixed:
commit a32b41746c4e1a44fb998a93da99c72f6586b359
Author: Ján Tomko <jtomko@xxxxxxxxxx>
Date: Wed May 22 12:56:23 2013 +0200
conf: fix use after free in virChrdevOpen
Don't free the stream on error if we've successfully added it
to the hash table, since it will be freed by virChrdevHashEntryFree
callback.
Preserve the error message before calling virStreamFree, since it
resets the error.
Introduced by 4716138, crashing since 6921892.
Reported by Sergey Fionov on libvir-list.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list