From 3bf92c57253fdf61bdf0502c31dba5e215dfb192 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 22 Feb 2012 14:11:21 +0100
Subject: [PATCH 005/109] qiov: prevent double free or use-after-free

RH-Author: Paolo Bonzini <pbonzini@redhat.com>
Message-id: <1329919979-20948-5-git-send-email-pbonzini@redhat.com>
Patchwork-id: 37486
O-Subject: [RHEL 6.3 qemu-kvm PATCH v2 004/102] qiov: prevent double free or use-after-free
Bugzilla: 782029
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Orit Wasserman <owasserm@redhat.com>

qemu_iovec_destroy does not clear the QEMUIOVector fully, and the data
could thus be used after free or freed again.  While I do not know any
example in the tree, I observed this using virtio-scsi (and SCSI
scatter/gather) when canceling DMA requests.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from bd83b3620517ef9f2079cfda465953e60263f623)

Conflicts:
	cutils.c (qemu_free vs. g_free)
---
 cutils.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 cutils.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/cutils.c b/cutils.c
index 94d58da..0edbbfd 100644
--- a/cutils.c
+++ b/cutils.c
@@ -217,7 +217,10 @@ void qemu_iovec_destroy(QEMUIOVector *qiov)
 {
     assert(qiov->nalloc != -1);
 
+    qemu_iovec_reset(qiov);
     qemu_free(qiov->iov);
+    qiov->nalloc = 0;
+    qiov->iov = NULL;
 }
 
 void qemu_iovec_reset(QEMUIOVector *qiov)
-- 
1.7.7.6