[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 57/79] commit: Fix use after free in completion
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 57/79] commit: Fix use after free in completion |
|
Date: |
Mon, 28 Aug 2017 19:14:32 -0500 |
From: Kevin Wolf <address@hidden>
The final bdrv_set_backing_hd() could be working on already freed nodes
because the commit job drops its references (through BlockBackends) to
both overlay_bs and top already a bit earlier.
One way to trigger the bug is hot unplugging a disk for which
blockdev_mark_auto_del() cancels the block job.
Fix this by taking BDS-level references while we're still using the
nodes.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
(cherry picked from commit 19ebd13ed45ad5d5f277f5914d55b83f13eb09eb)
Signed-off-by: Michael Roth <address@hidden>
---
block/commit.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/commit.c b/block/commit.c
index 76a0d98..3bae46e 100644
--- a/block/commit.c
+++ b/block/commit.c
@@ -89,6 +89,10 @@ static void commit_complete(BlockJob *job, void *opaque)
int ret = data->ret;
bool remove_commit_top_bs = false;
+ /* Make sure overlay_bs and top stay around until bdrv_set_backing_hd() */
+ bdrv_ref(top);
+ bdrv_ref(overlay_bs);
+
/* Remove base node parent that still uses BLK_PERM_WRITE/RESIZE before
* the normal backing chain can be restored. */
blk_unref(s->base);
@@ -124,6 +128,9 @@ static void commit_complete(BlockJob *job, void *opaque)
if (remove_commit_top_bs) {
bdrv_set_backing_hd(overlay_bs, top, &error_abort);
}
+
+ bdrv_unref(overlay_bs);
+ bdrv_unref(top);
}
static void coroutine_fn commit_run(void *opaque)
--
2.7.4
- [Qemu-stable] [PATCH 04/79] qemu-img/convert: Use @opts for one thing only, (continued)
- [Qemu-stable] [PATCH 04/79] qemu-img/convert: Use @opts for one thing only, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 51/79] pc: Use "min-[x]level" on compat_props, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 63/79] nbd: fix NBD over TLS, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 61/79] blkdebug: Catch bs->exact_filename overflow, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 05/79] qemu-img/convert: Move bs_n > 1 && -B check down, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 65/79] 9pfs: local: remove: use correct path component, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 52/79] target/ppc: pass const string to kvmppc_is_mem_backend_page_size_ok(), Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 56/79] target/xtensa: handle unknown registers in gdbstub, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 67/79] spapr: fix migration to pseries machine < 2.8, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 66/79] hid: Reset kbd modifiers on reset, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 57/79] commit: Fix use after free in completion,
Michael Roth <=
- [Qemu-stable] [PATCH 59/79] nbd: Fix regression on resiliency to port scan, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 68/79] virtio-scsi: finalize IOMMU support, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 73/79] input: Decrement queue count on kbd delay, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 71/79] virtio-net: fix offload ctrl endian, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 74/79] qemu-iotests: Test automatic commit job cancel on hot unplug, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 76/79] cpu: don't allow negative core id, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 64/79] block: Do not strcmp() with NULL uri->scheme, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 69/79] commit: Add NULL check for overlay_bs, Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 70/79] spapr: fix memory leak in spapr_core_pre_plug(), Michael Roth, 2017/08/28
- [Qemu-stable] [PATCH 07/79] iotests/051: Add test for empty filename, Michael Roth, 2017/08/28