[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 45/55] mirror: Do not dereference invalid pointers
From: |
Michael Roth |
Subject: |
[PATCH 45/55] mirror: Do not dereference invalid pointers |
Date: |
Tue, 5 Nov 2019 14:52:33 -0600 |
From: Max Reitz <address@hidden>
mirror_exit_common() may be called twice (if it is called from
mirror_prepare() and fails, it will be called from mirror_abort()
again).
In such a case, many of the pointers in the MirrorBlockJob object will
already be freed. This can be seen most reliably for s->target, which
is set to NULL (and then dereferenced by blk_bs()).
Cc: address@hidden
Fixes: 737efc1eda23b904fbe0e66b37715fb0e5c3e58b
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: John Snow <address@hidden>
Reviewed-by: Vladimir Sementsov-Ogievskiy <address@hidden>
Message-id: address@hidden
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit f93c3add3a773e0e3f6277e5517583c4ad3a43c2)
Signed-off-by: Michael Roth <address@hidden>
---
block/mirror.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/block/mirror.c b/block/mirror.c
index 9f5c59ece1..0e3f7923cf 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -618,11 +618,11 @@ static int mirror_exit_common(Job *job)
{
MirrorBlockJob *s = container_of(job, MirrorBlockJob, common.job);
BlockJob *bjob = &s->common;
- MirrorBDSOpaque *bs_opaque = s->mirror_top_bs->opaque;
+ MirrorBDSOpaque *bs_opaque;
AioContext *replace_aio_context = NULL;
- BlockDriverState *src = s->mirror_top_bs->backing->bs;
- BlockDriverState *target_bs = blk_bs(s->target);
- BlockDriverState *mirror_top_bs = s->mirror_top_bs;
+ BlockDriverState *src;
+ BlockDriverState *target_bs;
+ BlockDriverState *mirror_top_bs;
Error *local_err = NULL;
bool abort = job->ret < 0;
int ret = 0;
@@ -632,6 +632,11 @@ static int mirror_exit_common(Job *job)
}
s->prepared = true;
+ mirror_top_bs = s->mirror_top_bs;
+ bs_opaque = mirror_top_bs->opaque;
+ src = mirror_top_bs->backing->bs;
+ target_bs = blk_bs(s->target);
+
if (bdrv_chain_contains(src, target_bs)) {
bdrv_unfreeze_backing_chain(mirror_top_bs, target_bs);
}
--
2.17.1
- [PATCH 28/55] curl: Handle success in multi_check_completion, (continued)
- [PATCH 28/55] curl: Handle success in multi_check_completion, Michael Roth, 2019/11/05
- [PATCH 32/55] qcow2: Fix corruption bug in qcow2_detect_metadata_preallocation(), Michael Roth, 2019/11/05
- [PATCH 02/55] Revert "ide/ahci: Check for -ECANCELED in aio callbacks", Michael Roth, 2019/11/05
- [PATCH 22/55] block/nfs: tear down aio before nfs_close, Michael Roth, 2019/11/05
- [PATCH 31/55] coroutine: Add qemu_co_mutex_assert_locked(), Michael Roth, 2019/11/05
- [PATCH 33/55] block/backup: fix max_transfer handling for copy_range, Michael Roth, 2019/11/05
- [PATCH 34/55] block/backup: fix backup_cow_with_offload for last cluster, Michael Roth, 2019/11/05
- [PATCH 39/55] block/snapshot: Restrict set of snapshot nodes, Michael Roth, 2019/11/05
- [PATCH 03/55] s390x/tcg: Fix VERIM with 32/64 bit elements, Michael Roth, 2019/11/05
- [PATCH 38/55] s390: PCI: fix IOMMU region init, Michael Roth, 2019/11/05
- [PATCH 45/55] mirror: Do not dereference invalid pointers,
Michael Roth <=
- [PATCH 35/55] hw/arm/boot.c: Set NSACR.{CP11, CP10} for NS kernel boots, Michael Roth, 2019/11/05
- [PATCH 42/55] hw/core/loader: Fix possible crash in rom_copy(), Michael Roth, 2019/11/05
- [PATCH 46/55] ui: Fix hanging up Cocoa display on macOS 10.15 (Catalina), Michael Roth, 2019/11/05
- [PATCH 47/55] virtio: new post_load hook, Michael Roth, 2019/11/05
- [PATCH 50/55] util/hbitmap: strict hbitmap_reset, Michael Roth, 2019/11/05
- [PATCH 05/55] pc: Don't make die-id mandatory unless necessary, Michael Roth, 2019/11/05
- [PATCH 51/55] hbitmap: handle set/reset with zero length, Michael Roth, 2019/11/05
- [PATCH 52/55] target/arm: Allow reading flags from FPSCR for M-profile, Michael Roth, 2019/11/05
- [PATCH 55/55] virtio-blk: Cancel the pending BH when the dataplane is reset, Michael Roth, 2019/11/05
- [PATCH 21/55] qcow2: Fix the calculation of the maximum L2 cache size, Michael Roth, 2019/11/05