[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-block] [PULL 04/10] block/mirror: Fix use-after-free
From: |
Kevin Wolf |
Subject: |
[Qemu-block] [PULL 04/10] block/mirror: Fix use-after-free |
Date: |
Fri, 7 Apr 2017 15:47:39 +0200 |
From: Max Reitz <address@hidden>
If @bs does not have any parents, the only reference to @mirror_top_bs
will be held by the BlockJob object after the bdrv_unref() following
block_job_create(). However, if block_job_create() fails, this reference
will not exist and @mirror_top_bs will have been deleted when we
goto fail.
The issue comes back at all later entries to the fail label: We delete
the BlockJob object before rolling back our changes to the node graph.
This means that we will delete @mirror_top_bs in the process.
All in all, whenever @bs does not have any parents and we go down the
fail path we will dereference @mirror_top_bs after it has been deleted.
Fix this by invoking bdrv_unref() only when block_job_create() was
successful and by bdrv_ref()'ing @mirror_top_bs in the fail path before
deleting the BlockJob object. Finally, bdrv_unref() it at the end of the
fail path after we actually no longer need it.
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: John Snow <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
block/mirror.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/block/mirror.c b/block/mirror.c
index 9e2fecc..46ecd38 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1150,7 +1150,7 @@ static void mirror_start_job(const char *job_id,
BlockDriverState *bs,
mirror_top_bs->total_sectors = bs->total_sectors;
/* bdrv_append takes ownership of the mirror_top_bs reference, need to keep
- * it alive until block_job_create() even if bs has no parent. */
+ * it alive until block_job_create() succeeds even if bs has no parent. */
bdrv_ref(mirror_top_bs);
bdrv_drained_begin(bs);
bdrv_append(mirror_top_bs, bs, &local_err);
@@ -1168,10 +1168,12 @@ static void mirror_start_job(const char *job_id,
BlockDriverState *bs,
BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE_UNCHANGED |
BLK_PERM_WRITE | BLK_PERM_GRAPH_MOD, speed,
creation_flags, cb, opaque, errp);
- bdrv_unref(mirror_top_bs);
if (!s) {
goto fail;
}
+ /* The block job now has a reference to this node */
+ bdrv_unref(mirror_top_bs);
+
s->source = bs;
s->mirror_top_bs = mirror_top_bs;
@@ -1242,6 +1244,10 @@ static void mirror_start_job(const char *job_id,
BlockDriverState *bs,
fail:
if (s) {
+ /* Make sure this BDS does not go away until we have completed the
graph
+ * changes below */
+ bdrv_ref(mirror_top_bs);
+
g_free(s->replaces);
blk_unref(s->target);
block_job_unref(&s->common);
@@ -1250,6 +1256,8 @@ fail:
bdrv_child_try_set_perm(mirror_top_bs->backing, 0, BLK_PERM_ALL,
&error_abort);
bdrv_replace_node(mirror_top_bs, backing_bs(mirror_top_bs), &error_abort);
+
+ bdrv_unref(mirror_top_bs);
}
void mirror_start(const char *job_id, BlockDriverState *bs,
--
1.8.3.1
- [Qemu-block] [PULL 00/10] Block layer fixes for 2.9.0-rc4, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 01/10] block: Ignore guest dev permissions during incoming migration, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 03/10] commit: Set commit_top_bs->total_sectors, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 02/10] commit: Set commit_top_bs->aio_context, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 04/10] block/mirror: Fix use-after-free,
Kevin Wolf <=
- [Qemu-block] [PULL 05/10] iotests: Add mirror tests for orphaned source, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 06/10] qemu-img: img_create does not support image-opts, fix docs, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 09/10] block: Assert attached child node has right aio context, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 07/10] block: Don't check permissions for copy on read, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 08/10] block: Fix unpaired aio_disable_external in external snapshot, Kevin Wolf, 2017/04/07
- [Qemu-block] [PULL 10/10] mirror: Fix aio context of mirror_top_bs, Kevin Wolf, 2017/04/07
- Re: [Qemu-block] [Qemu-devel] [PULL 00/10] Block layer fixes for 2.9.0-rc4, Peter Maydell, 2017/04/07
- Re: [Qemu-block] [Qemu-devel] [PULL 00/10] Block layer fixes for 2.9.0-rc4, no-reply, 2017/04/12