> -----Original Message----- > From: Laszlo Ersek [mailto:ler...@redhat.com] > Sent: Tuesday, May 27, 2014 6:07 PM > To: Gonglei (Arei); lcapitul...@redhat.com > Cc: qemu-devel@nongnu.org; av1...@comtv.ru; kra...@redhat.com; > qiaonuo...@cn.fujitsu.com; afaer...@suse.de; ebl...@redhat.com; > pbonz...@redhat.com; m...@redhat.com; Huangweidong (C); > peter.crosthwa...@xilinx.com; kw...@redhat.com; stefa...@redhat.com; > crobi...@redhat.com; aligu...@amazon.com; arm...@redhat.com; > Luonengjun > Subject: Re: [PATCH 7/8] dump: Fix use-after-free in create_kdump_vmcore() > > On 05/27/14 03:40, arei.gong...@huawei.com wrote: > > From: Gonglei <arei.gong...@huawei.com> > > > > Spotted by Coverity: > > > > (7) Event closed_arg: "write_dump_pages(DumpState *)" closes "s->fd". > [details] > > Also see events: [pass_closed_arg] > > > > 1490 ret = write_dump_pages(s); > > (8) Event cond_false: Condition "ret < 0", taking false branch > > > > 1491 if (ret < 0) { > > 1492 return -1; > > (9) Event if_end: End of if statement > > > > 1493 } > > 1494 > > (10) Event pass_closed_arg: Passing closed handle "s->fd" as an argument > to function "write_end_flat_header(int)". > > Also see events: [closed_arg] > > > > 1495 ret = write_end_flat_header(s->fd); > > 1496 if (ret < 0) { > > 1497 dump_error(s, "dump: failed to write end flat header.\n"); > > 1498 return -1; > > 1499 } > > 1500 > > 1501 dump_completed(s); > > 1502 > > 1503 return 0; > > 1504 } > > > > Signed-off-by: Gonglei <arei.gong...@huawei.com> > > --- > > dump.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/dump.c b/dump.c > > index e56b7cf..3a704e9 100644 > > --- a/dump.c > > +++ b/dump.c > > @@ -1296,6 +1296,7 @@ static int write_dump_pages(DumpState *s) > > /* prepare buffer to store compressed data */ > > len_buf_out = get_len_buf_out(s->page_size, s->flag_compress); > > if (len_buf_out == 0) { > > + ret = -1; > > dump_error(s, "dump: failed to get length of output buffer.\n"); > > goto out; > > } > > > > This patch conflicts with my pending set (which has one R-b from Paolo). > Patch 7/7 of the series in question reworks get_len_buf_out(), and then > write_dump_pages() asserts that the retval is zero. > > http://lists.nongnu.org/archive/html/qemu-devel/2014-05/msg03966.html > > Gonglei (Arei), can you please rebase this series on mine?
OK. No problem. Best regards, -Gonglei
