[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in ac
From: |
Kevin Wolf |
Subject: |
[Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit |
Date: |
Thu, 13 Sep 2018 14:52:12 +0200 |
When starting an active commit job, other callbacks can run before
mirror_start_job() calls bdrv_ref() where needed and cause the nodes to
go away. Add another pair of bdrv_ref/unref() around it to protect
against this case.
Signed-off-by: Kevin Wolf <address@hidden>
---
block/mirror.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/block/mirror.c b/block/mirror.c
index 56d9ef7474..c8657991cf 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1697,7 +1697,14 @@ void commit_active_start(const char *job_id,
BlockDriverState *bs,
orig_base_flags = bdrv_get_flags(base);
+ /* bdrv_reopen() drains, which might make the BDSes go away before a
+ * reference is taken in mirror_start_job(). */
+ bdrv_ref(bs);
+ bdrv_ref(base);
+
if (bdrv_reopen(base, bs->open_flags, errp)) {
+ bdrv_unref(bs);
+ bdrv_unref(base);
return;
}
@@ -1707,6 +1714,10 @@ void commit_active_start(const char *job_id,
BlockDriverState *bs,
&commit_active_job_driver, false, base, auto_complete,
filter_node_name, false, MIRROR_COPY_MODE_BACKGROUND,
&local_err);
+
+ bdrv_unref(bs);
+ bdrv_unref(base);
+
if (local_err) {
error_propagate(errp, local_err);
goto error_restore_flags;
--
2.13.6
- Re: [Qemu-devel] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, (continued)
- Re: [Qemu-devel] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Paolo Bonzini, 2018/09/17
- Re: [Qemu-devel] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Kevin Wolf, 2018/09/17
- Re: [Qemu-devel] [Qemu-block] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Paolo Bonzini, 2018/09/17
- Re: [Qemu-devel] [Qemu-block] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Kevin Wolf, 2018/09/17
- Re: [Qemu-devel] [Qemu-block] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Paolo Bonzini, 2018/09/17
- Re: [Qemu-devel] [Qemu-block] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Kevin Wolf, 2018/09/18
- Re: [Qemu-devel] [Qemu-block] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Paolo Bonzini, 2018/09/18
- Re: [Qemu-devel] [Qemu-block] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Kevin Wolf, 2018/09/18
- Re: [Qemu-devel] [Qemu-block] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Paolo Bonzini, 2018/09/19
Re: [Qemu-devel] [PATCH v2 11/17] block-backend: Decrease in_flight only after callback, Max Reitz, 2018/09/13
[Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit,
Kevin Wolf <=
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Max Reitz, 2018/09/13
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Max Reitz, 2018/09/13
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Kevin Wolf, 2018/09/14
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Max Reitz, 2018/09/16
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Kevin Wolf, 2018/09/17
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Max Reitz, 2018/09/18
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Kevin Wolf, 2018/09/18
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Max Reitz, 2018/09/18
- Re: [Qemu-devel] [PATCH v2 12/17] mirror: Fix potential use-after-free in active commit, Kevin Wolf, 2018/09/20
[Qemu-devel] [PATCH v2 15/17] test-bdrv-drain: Test nested poll in bdrv_drain_poll_top_level(), Kevin Wolf, 2018/09/13