[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 35/97] block: Fix use after free error in bdrv_open
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 35/97] block: Fix use after free error in bdrv_open_inherit() |
|
Date: |
Mon, 1 Apr 2019 15:59:09 -0500 |
From: Alberto Garcia <address@hidden>
When a block device is opened with BDRV_O_SNAPSHOT and the
bdrv_append_temp_snapshot() call fails then the error code path tries
to unref the already destroyed 'options' QDict.
This can be reproduced easily by setting TMPDIR to a location where
the QEMU process can't write:
$ TMPDIR=/nonexistent $QEMU -drive driver=null-co,snapshot=on
Signed-off-by: Alberto Garcia <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 8961be33e8ca7e809c603223803ea66ef7ea5be7)
Signed-off-by: Michael Roth <address@hidden>
---
block.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block.c b/block.c
index 39f373e035..a7f6a13a74 100644
--- a/block.c
+++ b/block.c
@@ -2787,6 +2787,7 @@ static BlockDriverState *bdrv_open_inherit(const char
*filename,
bdrv_parent_cb_change_media(bs, true);
qobject_unref(options);
+ options = NULL;
/* For snapshot=on, create a temporary qcow2 overlay. bs points to the
* temporary snapshot afterwards. */
--
2.17.1
- [Qemu-stable] [PATCH 10/97] target/arm: Dump SVE state if enabled, (continued)
- [Qemu-stable] [PATCH 10/97] target/arm: Dump SVE state if enabled, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 14/97] target/arm: Ignore float_flag_input_denormal from fp_status_f16, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 18/97] mirror: Fail gracefully for source == target, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 12/97] spapr_cpu_core: vmstate_[un]register per-CPU data from (un)realizefn, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 22/97] aio: Do aio_notify_accept only during blocking aio_poll, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 11/97] target/arm: Add sve-max-vq cpu property to -cpu max, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 17/97] block/qapi: Fix memory leak in qmp_query_blockstats(), Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 21/97] aio-posix: Don't count ctx->notifier as progress when polling, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 16/97] target/arm: Use FZ not FZ16 for SVE FCVT single-half and double-half, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 29/97] target/xtensa: fix FPU2000 bugs, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 35/97] block: Fix use after free error in bdrv_open_inherit(),
Michael Roth <=
- [Qemu-stable] [PATCH 23/97] monitor: fix oob command leak, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 30/97] kvm: add call to qemu_add_opts() for -overcommit option, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 20/97] nvme: Fix nvme_init error handling, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 33/97] pc: acpi: revert back to 1 SRAT entry for hotpluggable area, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 36/97] job: Fix nested aio_poll() hanging in job_txn_apply, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 37/97] target/xtensa: fix s32c1i TCGMemOp flags, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 27/97] block: iotest to catch abort on forced blockjob cancel, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 38/97] nbd/server: fix bitmap export, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 43/97] block/rbd: add deprecation documentation for filename keyvalue pairs, Michael Roth, 2019/04/01
- [Qemu-stable] [PATCH 45/97] ne2000: fix possible out of bound access in ne2000_receive, Michael Roth, 2019/04/01