[Spice-devel] [PATCH] spice_timer_queue: fix access after free
Jonathon Jongsma
jjongsma at redhat.com
Thu Sep 3 07:20:46 PDT 2015
On Thu, 2015-09-03 at 11:22 +0200, Christophe Fergeau wrote:
> On Thu, Sep 03, 2015 at 05:09:31AM -0400, Frediano Ziglio wrote:
> >
> > >
> > > Hey,
> > >
> > > On Thu, Sep 03, 2015 at 09:21:04AM +0100, Frediano Ziglio wrote:
> > > > Do not access to timer after we call the associated function.
> > > > Some of these callbacks can free timer making the pointer pointing
> > > > to freed data.
> > >
> > > Some callbacks are calling
> > > spice_timer_remove()/spice_timer_queue_destroy() which then frees
> > > the SpiceTimer instance? Or is something more complicated happening?
> > >
> > > Christophe
> > >
> >
> > Yes, the callback calls spice_timer_remove.
>
> Can you replace "can free timer" with "can call spice_timer_remove" in
> the log? ACK with that changed.
If timer callbacks are really calling spice_timer_remove(), then we
still have potential problems, since spice_timer_queue_cb() also calls
spice_timer_cancel() after calling the timer->func(). I wonder if it
wouldn't be better to simply change spice_timer_cancel() to return if
the timer is not in the ring rather than asserting...
More information about the Spice-devel
mailing list