[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion
From: |
Kevin Wolf |
Subject: |
Re: [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion |
Date: |
Tue, 13 Jun 2017 18:46:28 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Am 13.06.2017 um 18:12 hat Peter Maydell geschrieben:
> On 7 June 2017 at 18:50, Kevin Wolf <address@hidden> wrote:
> > diff --git a/block/commit.c b/block/commit.c
> > index a3028b2..af6fa68 100644
> > --- a/block/commit.c
> > +++ b/block/commit.c
> > @@ -89,6 +89,10 @@ static void commit_complete(BlockJob *job, void *opaque)
> > int ret = data->ret;
> > bool remove_commit_top_bs = false;
> >
> > + /* Make sure overlay_bs and top stay around until
> > bdrv_set_backing_hd() */
> > + bdrv_ref(top);
> > + bdrv_ref(overlay_bs);
> > +
> > /* Remove base node parent that still uses BLK_PERM_WRITE/RESIZE before
> > * the normal backing chain can be restored. */
> > blk_unref(s->base);
>
> Hi -- coverity complains about this change, because bdrv_ref()
> assumes that its argument is not NULL, but later on in commit_complete()
> we have a check
> "if (overlay_bs && ...)"
> which assumes its argument might be NULL. (CID 1376205)
>
> Which is correct?
I saw the Coverity report and am looking into it. It's not completely
clear to me yet which is correct, but I suspect it can be NULL.
Kevin
- [Qemu-devel] [PULL 0/8] Block layer patches, Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 1/8] block: Fix anonymous BBs in blk_root_inactivate(), Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 2/8] migration: Inactivate images after .save_live_complete_precopy(), Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 3/8] migration/block: Clean up BBs in block_save_complete(), Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 4/8] qemu-iotests: Block migration test, Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion, Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 7/8] block/qcow.c: Fix memory leak in qcow_create(), Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 6/8] qemu-iotests: Test automatic commit job cancel on hot unplug, Kevin Wolf, 2017/06/07
- [Qemu-devel] [PULL 8/8] block: fix external snapshot abort permission error, Kevin Wolf, 2017/06/07
- Re: [Qemu-devel] [PULL 0/8] Block layer patches, Peter Maydell, 2017/06/12