Mark McLoughlin wrote:
> On Wed, 2008-12-10 at 21:22 +0800, Han, Weidong wrote:
>>
>> +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long
>> num) +{ + struct ioperm_data *data;
>> +
>> + data = LIST_FIRST(&ioperm_head);
>> + while (data) {
>> + if (data->start_port == start_port && data->num == num) {
>> + LIST_REMOVE(data, entries);
>> + qemu_free(data);
>> + }
>> +
>> + data = LIST_NEXT(data, entries);
>> + }
>> +}
>
> Repeating what I said last time:
>
> You've a "use after free bug" here; you free the structure and
> LIST_NEXT de-references the pointer to it in order to obtain the
> pointer to the next structure.
>
> What you need is:
>
> {
> struct ioperm_data *data;
>
> data = LIST_FIRST(&ioperm_head);
> while (data) {
> struct ioperm_data *next = LIST_NEXT(data, entries);
>
> if (data->start_port == start_port && data->num == num) {
> LIST_REMOVE(data, entries);
> qemu_free(data);
> }
>
> data = next;
> }
> }
>
> Cheers,
> Mark.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
