[Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in activ

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in activ

From:	Kevin Wolf
Subject:	[Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in active commit
Date:	Fri, 7 Sep 2018 18:15:17 +0200

When starting an active commit job, other callbacks can run before
mirror_start_job() calls bdrv_ref() where needed and cause the nodes to
go away. Add another pair of bdrv_ref/unref() around it to protect
against this case.

Signed-off-by: Kevin Wolf <address@hidden>
---
 block/mirror.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/block/mirror.c b/block/mirror.c
index 6cc10df5c9..c42999eadf 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1679,6 +1679,11 @@ void commit_active_start(const char *job_id, 
BlockDriverState *bs,
 
     orig_base_flags = bdrv_get_flags(base);
 
+    /* bdrv_reopen() drains, which might make the BDSes go away before a
+     * reference is taken in mirror_start_job(). */
+    bdrv_ref(bs);
+    bdrv_ref(base);
+
     if (bdrv_reopen(base, bs->open_flags, errp)) {
         return;
     }
@@ -1689,6 +1694,10 @@ void commit_active_start(const char *job_id, 
BlockDriverState *bs,
                      &commit_active_job_driver, false, base, auto_complete,
                      filter_node_name, false, MIRROR_COPY_MODE_BACKGROUND,
                      &local_err);
+
+    bdrv_unref(bs);
+    bdrv_unref(base);
+
     if (local_err) {
         error_propagate(errp, local_err);
         goto error_restore_flags;
-- 
2.13.6

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-block] [PATCH 06/14] block: Add missing locking in bdrv_co_drain_bh_cb(), (continued)
- [Qemu-block] [PATCH 08/14] block-backend: Add .drained_poll callback, Kevin Wolf, 2018/09/07
  - Re: [Qemu-block] [PATCH 08/14] block-backend: Add .drained_poll callback, Fam Zheng, 2018/09/11
- [Qemu-block] [PATCH 09/14] block-backend: Fix potential double blk_delete(), Kevin Wolf, 2018/09/07
  - Re: [Qemu-block] [PATCH 09/14] block-backend: Fix potential double blk_delete(), Fam Zheng, 2018/09/11
- [Qemu-block] [PATCH 12/14] blockjob: Lie better in child_job_drained_poll(), Kevin Wolf, 2018/09/07
  - Re: [Qemu-block] [PATCH 12/14] blockjob: Lie better in child_job_drained_poll(), Fam Zheng, 2018/09/11
- [Qemu-block] [PATCH 10/14] block-backend: Decrease in_flight only after callback, Kevin Wolf, 2018/09/07
  - Re: [Qemu-block] [PATCH 10/14] block-backend: Decrease in_flight only after callback, Fam Zheng, 2018/09/11
- [Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in active commit, Kevin Wolf <=
  - Re: [Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in active commit, Fam Zheng, 2018/09/11
    - Re: [Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in active commit, Kevin Wolf, 2018/09/11
- [Qemu-block] [PATCH 13/14] block: Remove aio_poll() in bdrv_drain_poll variants, Kevin Wolf, 2018/09/07
  - Re: [Qemu-block] [PATCH 13/14] block: Remove aio_poll() in bdrv_drain_poll variants, Fam Zheng, 2018/09/11
- [Qemu-block] [PATCH 14/14] test-bdrv-drain: Test nested poll in bdrv_drain_poll_top_level(), Kevin Wolf, 2018/09/07
  - Re: [Qemu-block] [PATCH 14/14] test-bdrv-drain: Test nested poll in bdrv_drain_poll_top_level(), Fam Zheng, 2018/09/11

Prev by Date: [Qemu-block] [PATCH 10/14] block-backend: Decrease in_flight only after callback
Next by Date: [Qemu-block] [PATCH 13/14] block: Remove aio_poll() in bdrv_drain_poll variants
Previous by thread: Re: [Qemu-block] [PATCH 10/14] block-backend: Decrease in_flight only after callback
Next by thread: Re: [Qemu-block] [PATCH 11/14] mirror: Fix potential use-after-free in active commit
Index(es):
- Date
- Thread