[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 04/28] block: Fix use after free in blockdev_mark_auto_del()
From: |
Kevin Wolf |
Subject: |
[PULL 04/28] block: Fix use after free in blockdev_mark_auto_del() |
Date: |
Wed, 10 May 2023 14:20:47 +0200 |
job_cancel_locked() drops the job list lock temporarily and it may call
aio_poll(). We must assume that the list has changed after this call.
Also, with unlucky timing, it can end up freeing the job during
job_completed_txn_abort_locked(), making the job pointer invalid, too.
For both reasons, we can't just continue at block_job_next_locked(job).
Instead, start at the head of the list again after job_cancel_locked()
and skip those jobs that we already cancelled (or that are completing
anyway).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20230503140142.474404-1-kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
blockdev.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/blockdev.c b/blockdev.c
index d7b5c18f0a..2c1752a403 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -153,12 +153,22 @@ void blockdev_mark_auto_del(BlockBackend *blk)
JOB_LOCK_GUARD();
- for (job = block_job_next_locked(NULL); job;
- job = block_job_next_locked(job)) {
- if (block_job_has_bdrv(job, blk_bs(blk))) {
+ do {
+ job = block_job_next_locked(NULL);
+ while (job && (job->job.cancelled ||
+ job->job.deferred_to_main_loop ||
+ !block_job_has_bdrv(job, blk_bs(blk))))
+ {
+ job = block_job_next_locked(job);
+ }
+ if (job) {
+ /*
+ * This drops the job lock temporarily and polls, so we need to
+ * restart processing the list from the start after this.
+ */
job_cancel_locked(&job->job, false);
}
- }
+ } while (job);
dinfo->auto_del = 1;
}
--
2.40.1
- [PULL 00/28] Block layer patches, Kevin Wolf, 2023/05/10
- [PULL 01/28] block: add configure options for excluding vmdk, vhdx and vpc, Kevin Wolf, 2023/05/10
- [PULL 02/28] block: add missing coroutine_fn annotations, Kevin Wolf, 2023/05/10
- [PULL 03/28] aio-wait: avoid AioContext lock in aio_wait_bh_oneshot(), Kevin Wolf, 2023/05/10
- [PULL 07/28] qcow2: Don't call bdrv_getlength() in coroutine_fns, Kevin Wolf, 2023/05/10
- [PULL 04/28] block: Fix use after free in blockdev_mark_auto_del(),
Kevin Wolf <=
- [PULL 05/28] iotests/nbd-reconnect-on-open: Fix NBD socket path, Kevin Wolf, 2023/05/10
- [PULL 06/28] migration: Attempt disk reactivation in more failure scenarios, Kevin Wolf, 2023/05/10
- [PULL 08/28] block: Consistently call bdrv_activate() outside coroutine, Kevin Wolf, 2023/05/10
- [PULL 12/28] test-bdrv-drain: Don't modify the graph in coroutines, Kevin Wolf, 2023/05/10
- [PULL 15/28] block: .bdrv_open is non-coroutine and unlocked, Kevin Wolf, 2023/05/10
- [PULL 10/28] block: Don't call no_coroutine_fns in qmp_block_resize(), Kevin Wolf, 2023/05/10
- [PULL 11/28] iotests: Test resizing image attached to an iothread, Kevin Wolf, 2023/05/10
- [PULL 14/28] graph-lock: Fix GRAPH_RDLOCK_GUARD*() to be reader lock, Kevin Wolf, 2023/05/10
- [PULL 13/28] graph-lock: Add GRAPH_UNLOCKED(_PTR), Kevin Wolf, 2023/05/10
- [PULL 16/28] nbd: Remove nbd_co_flush() wrapper function, Kevin Wolf, 2023/05/10