[Spice-devel] [PATCH] spice_timer_queue: fix access after free

Jonathon Jongsma jjongsma at redhat.com
Thu Sep 3 07:31:21 PDT 2015


On Thu, 2015-09-03 at 16:20 +0200, Jonathon Jongsma wrote:
> On Thu, 2015-09-03 at 11:22 +0200, Christophe Fergeau wrote:
> > On Thu, Sep 03, 2015 at 05:09:31AM -0400, Frediano Ziglio wrote:
> > > 
> > > > 
> > > > Hey,
> > > > 
> > > > On Thu, Sep 03, 2015 at 09:21:04AM +0100, Frediano Ziglio wrote:
> > > > > Do not access to timer after we call the associated function.
> > > > > Some of these callbacks can free timer making the pointer pointing
> > > > > to freed data.
> > > > 
> > > > Some callbacks are calling
> > > > spice_timer_remove()/spice_timer_queue_destroy() which then frees
> > > > the SpiceTimer instance? Or is something more complicated happening?
> > > > 
> > > > Christophe
> > > > 
> > > 
> > > Yes, the callback calls spice_timer_remove.
> > 
> > Can you replace "can free timer" with "can call spice_timer_remove" in
> > the log? ACK with that changed.
> 
> 
> If timer callbacks are really calling spice_timer_remove(), then we
> still have potential problems, since spice_timer_queue_cb() also calls
> spice_timer_cancel() after calling the timer->func(). I wonder if it
> wouldn't be better to simply change spice_timer_cancel() to return if
> the timer is not in the ring rather than asserting...


Sorry, nevermind. For some reason I thought this was another case where
this pattern happened, but this is the exact code that you are
changing....





More information about the Spice-devel mailing list