[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 57/79] commit: Fix use after free in completion
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 57/79] commit: Fix use after free in completion |
Date: |
Mon, 28 Aug 2017 19:14:32 -0500 |
From: Kevin Wolf <address@hidden>
The final bdrv_set_backing_hd() could be working on already freed nodes
because the commit job drops its references (through BlockBackends) to
both overlay_bs and top already a bit earlier.
One way to trigger the bug is hot unplugging a disk for which
blockdev_mark_auto_del() cancels the block job.
Fix this by taking BDS-level references while we're still using the
nodes.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
(cherry picked from commit 19ebd13ed45ad5d5f277f5914d55b83f13eb09eb)
Signed-off-by: Michael Roth <address@hidden>
---
block/commit.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/commit.c b/block/commit.c
index 76a0d98..3bae46e 100644
--- a/block/commit.c
+++ b/block/commit.c
@@ -89,6 +89,10 @@ static void commit_complete(BlockJob *job, void *opaque)
int ret = data->ret;
bool remove_commit_top_bs = false;
+ /* Make sure overlay_bs and top stay around until bdrv_set_backing_hd() */
+ bdrv_ref(top);
+ bdrv_ref(overlay_bs);
+
/* Remove base node parent that still uses BLK_PERM_WRITE/RESIZE before
* the normal backing chain can be restored. */
blk_unref(s->base);
@@ -124,6 +128,9 @@ static void commit_complete(BlockJob *job, void *opaque)
if (remove_commit_top_bs) {
bdrv_set_backing_hd(overlay_bs, top, &error_abort);
}
+
+ bdrv_unref(overlay_bs);
+ bdrv_unref(top);
}
static void coroutine_fn commit_run(void *opaque)
--
2.7.4
- [Qemu-devel] [PATCH 63/79] nbd: fix NBD over TLS, (continued)
- [Qemu-devel] [PATCH 63/79] nbd: fix NBD over TLS, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 61/79] blkdebug: Catch bs->exact_filename overflow, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 42/79] blkdebug: Add ability to override unmap geometries, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 40/79] blkdebug: Add pass-through write_zero and discard support, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 45/79] block: Guarantee that *file is set on bdrv_get_block_status(), Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 47/79] virtio-serial-bus: Unset hotplug handler when unrealize, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 50/79] monitor: fix object_del for command-line-created objects, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 65/79] 9pfs: local: remove: use correct path component, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 04/79] qemu-img/convert: Use @opts for one thing only, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 56/79] target/xtensa: handle unknown registers in gdbstub, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 57/79] commit: Fix use after free in completion,
Michael Roth <=
- [Qemu-devel] [PATCH 62/79] blkverify: Catch bs->exact_filename overflow, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 67/79] spapr: fix migration to pseries machine < 2.8, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 66/79] hid: Reset kbd modifiers on reset, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 60/79] commit: Fix completion with extra reference, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 59/79] nbd: Fix regression on resiliency to port scan, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 71/79] virtio-net: fix offload ctrl endian, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 06/79] block: An empty filename counts as no filename, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 72/79] input: limit kbd queue depth, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 74/79] qemu-iotests: Test automatic commit job cancel on hot unplug, Michael Roth, 2017/08/28
- [Qemu-devel] [PATCH 05/79] qemu-img/convert: Move bs_n > 1 && -B check down, Michael Roth, 2017/08/28