[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail er
From: |
Fam Zheng |
Subject: |
Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path |
Date: |
Tue, 2 Aug 2016 16:42:41 +0800 |
User-agent: |
Mutt/1.6.1 (2016-04-27) |
On Tue, 08/02 09:55, Igor Mammedov wrote:
> qdev_init_nofail() { called with ref == 1
Yes it does.
> object_property_set_bool(true, "realized")
> if error:
> ref == 1
^
This is not the case for qdev, the object is actually released by
object_property_set_bool if fail.
The problem seems to be that qdev_create doesn't set OBJECT(dev)->parent,
because it eventually calls object_property_add_link instead of
object_property_add_child.
> else:
> ref == 2 (+1 for implicitly assigned parent)
> }
Fam