On Wed, Feb 17, 2021 at 2:01 PM Stefan Hajnoczi <stefa...@redhat.com> wrote:
>
> On Tue, Feb 09, 2021 at 04:37:54PM +0100, Eugenio Pérez wrote:
> > +/*
> > + * Creates vhost shadow virtqueue, and instruct vhost device to use the
> > shadow
> > + * methods and file descriptors.
> > + */
> > +VhostShadowVirtqueue *vhost_shadow_vq_new(struct vhost_dev *dev, int idx)
> > +{
> > + g_autofree VhostShadowVirtqueue *svq = g_new0(VhostShadowVirtqueue, 1);
> > + int r;
> > +
> > + r = event_notifier_init(&svq->kick_notifier, 0);
> > + if (r != 0) {
> > + error_report("Couldn't create kick event notifier: %s",
> > + strerror(errno));
> > + goto err_init_kick_notifier;
> > + }
> > +
> > + r = event_notifier_init(&svq->call_notifier, 0);
> > + if (r != 0) {
> > + error_report("Couldn't create call event notifier: %s",
> > + strerror(errno));
> > + goto err_init_call_notifier;
> > + }
> > +
> > + return svq;
>
> Use-after-free due to g_autofree. I think this should be:
>
> return g_steal_pointer(&svq)
>
> https://developer.gnome.org/glib/stable/glib-Memory-Allocation.html#g-steal-pointer
What a miss, thanks for pointing it out!
