[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in a
From: |
Kevin Wolf |
Subject: |
Re: [Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in active commit |
Date: |
Tue, 11 Sep 2018 11:32:17 +0200 |
User-agent: |
Mutt/1.9.1 (2017-09-22) |
Am 11.09.2018 um 10:31 hat Fam Zheng geschrieben:
> On Fri, 09/07 18:15, Kevin Wolf wrote:
> > When starting an active commit job, other callbacks can run before
> > mirror_start_job() calls bdrv_ref() where needed and cause the nodes to
> > go away. Add another pair of bdrv_ref/unref() around it to protect
> > against this case.
> >
> > Signed-off-by: Kevin Wolf <address@hidden>
> > ---
> > block/mirror.c | 9 +++++++++
> > 1 file changed, 9 insertions(+)
> >
> > diff --git a/block/mirror.c b/block/mirror.c
> > index 6cc10df5c9..c42999eadf 100644
> > --- a/block/mirror.c
> > +++ b/block/mirror.c
> > @@ -1679,6 +1679,11 @@ void commit_active_start(const char *job_id,
> > BlockDriverState *bs,
> >
> > orig_base_flags = bdrv_get_flags(base);
> >
> > + /* bdrv_reopen() drains, which might make the BDSes go away before a
> > + * reference is taken in mirror_start_job(). */
> > + bdrv_ref(bs);
> > + bdrv_ref(base);
> > +
> > if (bdrv_reopen(base, bs->open_flags, errp)) {
>
> Doesn't it need bdrv_unref's in this branch?
Yes, of course. Thanks for catching this!
Kevin
- [Qemu-block] [PATCH 08/14] block-backend: Add .drained_poll callback, (continued)
- [Qemu-block] [PATCH 08/14] block-backend: Add .drained_poll callback, Kevin Wolf, 2018/09/07
- [Qemu-block] [PATCH 09/14] block-backend: Fix potential double blk_delete(), Kevin Wolf, 2018/09/07
- [Qemu-block] [PATCH 12/14] blockjob: Lie better in child_job_drained_poll(), Kevin Wolf, 2018/09/07
- [Qemu-block] [PATCH 10/14] block-backend: Decrease in_flight only after callback, Kevin Wolf, 2018/09/07
- [Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in active commit, Kevin Wolf, 2018/09/07
- [Qemu-block] [PATCH 13/14] block: Remove aio_poll() in bdrv_drain_poll variants, Kevin Wolf, 2018/09/07
- [Qemu-block] [PATCH 14/14] test-bdrv-drain: Test nested poll in bdrv_drain_poll_top_level(), Kevin Wolf, 2018/09/07