From 36173ec5f1d3baee62504affd761199693c14c82 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 8 Nov 2016 14:55:23 +0100 Subject: aio-posix: avoid NULL pointer dereference in aio_epoll_update aio_epoll_update dereferences parameter "node", but it could have been NULL if deleting an fd handler that was not registered in the first place. Signed-off-by: Paolo Bonzini Reviewed-by: Fam Zheng Message-id: 20161108135524.25927-2-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi --- aio-posix.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/aio-posix.c b/aio-posix.c index 4ef34dd175..304b0168ff 100644 --- a/aio-posix.c +++ b/aio-posix.c @@ -217,21 +217,23 @@ void aio_set_fd_handler(AioContext *ctx, /* Are we deleting the fd handler? */ if (!io_read && !io_write) { - if (node) { - g_source_remove_poll(&ctx->source, &node->pfd); - - /* If the lock is held, just mark the node as deleted */ - if (ctx->walking_handlers) { - node->deleted = 1; - node->pfd.revents = 0; - } else { - /* Otherwise, delete it for real. We can't just mark it as - * deleted because deleted nodes are only cleaned up after - * releasing the walking_handlers lock. - */ - QLIST_REMOVE(node, node); - deleted = true; - } + if (node == NULL) { + return; + } + + g_source_remove_poll(&ctx->source, &node->pfd); + + /* If the lock is held, just mark the node as deleted */ + if (ctx->walking_handlers) { + node->deleted = 1; + node->pfd.revents = 0; + } else { + /* Otherwise, delete it for real. We can't just mark it as + * deleted because deleted nodes are only cleaned up after + * releasing the walking_handlers lock. + */ + QLIST_REMOVE(node, node); + deleted = true; } } else { if (node == NULL) { -- cgit v1.2.3