qdev: fix use-after-free in the error path of qdev_init_nofail

From Markus: Before: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty qemu-system-x86_64: Initialization of device ide-hd failed [Exit 1 ] After: $ qemu-system-x86_64 -display none -drive if=ide qemu-system-x86_64: Device needs media, but drive is empty Segmentation fault (core dumped) [Exit 139 (SIGSEGV)] This error always existed as qdev_init() frees the object. But QOM goes a bit further and purposefully sets the class pointer to NULL to help find use-after-free. It worked :-) Cc: Andreas Faerber <afaerber@suse.de> Reported-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
author: Anthony Liguori <aliguori@us.ibm.com> 2012-06-27 07:37:54 -0500
committer: Anthony Liguori <aliguori@us.ibm.com> 2012-06-27 16:26:59 -0500
commit: 7de3abe505e34398cef5bddf6c4d0bd9ee47007f (patch)
tree: 6c0c64a3d067116f78673ac9d13d1f2e43896657 /hw
parent: d24b569a4162c54426ab5088637b824f54f6ac16 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/qdev.c b/hw/qdev.c
index a6c4c02947..af544675bf 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -258,9 +258,10 @@ int qdev_simple_unplug_cb(DeviceState *dev)
    way is somewhat unclean, and best avoided.  */
 void qdev_init_nofail(DeviceState *dev)
 {
+    const char *typename = object_get_typename(OBJECT(dev));
+
     if (qdev_init(dev) < 0) {
-        error_report("Initialization of device %s failed",
-                     object_get_typename(OBJECT(dev)));
+        error_report("Initialization of device %s failed", typename);
         exit(1);
     }
 }
author	Anthony Liguori <aliguori@us.ibm.com>	2012-06-27 07:37:54 -0500
committer	Anthony Liguori <aliguori@us.ibm.com>	2012-06-27 16:26:59 -0500
commit	7de3abe505e34398cef5bddf6c4d0bd9ee47007f (patch)
tree	6c0c64a3d067116f78673ac9d13d1f2e43896657 /hw
parent	d24b569a4162c54426ab5088637b824f54f6ac16 (diff)