On Wed, 2008-12-10 at 21:22 +0800, Han, Weidong wrote:
>
> +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num)
> +{
> + struct ioperm_data *data;
> +
> + data = LIST_FIRST(&ioperm_head);
> + while (data) {
> + if (data->start_port == start_port && data->num == num) {
> + LIST_REMOVE(data, entries);
> + qemu_free(data);
> + }
> +
> + data = LIST_NEXT(data, entries);
> + }
> +}
Repeating what I said last time:
You've a "use after free bug" here; you free the structure and
LIST_NEXT de-references the pointer to it in order to obtain the
pointer to the next structure.
What you need is:
{
struct ioperm_data *data;
data = LIST_FIRST(&ioperm_head);
while (data) {
struct ioperm_data *next = LIST_NEXT(data, entries);
if (data->start_port == start_port && data->num == num) {
LIST_REMOVE(data, entries);
qemu_free(data);
}
data = next;
}
}
Cheers,
Mark.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
