[PATCH v7.2.3 17/30] block: Fix use after free in blockdev_mark_auto

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v7.2.3 17/30] block: Fix use after free in blockdev_mark_auto_del

From:	Michael Tokarev
Subject:	[PATCH v7.2.3 17/30] block: Fix use after free in blockdev_mark_auto_del()
Date:	Wed, 17 May 2023 12:10:29 +0300

From: Kevin Wolf <kwolf@redhat.com>

job_cancel_locked() drops the job list lock temporarily and it may call
aio_poll(). We must assume that the list has changed after this call.
Also, with unlucky timing, it can end up freeing the job during
job_completed_txn_abort_locked(), making the job pointer invalid, too.

For both reasons, we can't just continue at block_job_next_locked(job).
Instead, start at the head of the list again after job_cancel_locked()
and skip those jobs that we already cancelled (or that are completing
anyway).

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit e2626874a32602d4e52971c786ef5ffb4430629d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
 blockdev.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/blockdev.c b/blockdev.c
index 3f1dec6242..ae27a41efa 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -152,12 +152,22 @@ void blockdev_mark_auto_del(BlockBackend *blk)
 
     JOB_LOCK_GUARD();
 
-    for (job = block_job_next_locked(NULL); job;
-         job = block_job_next_locked(job)) {
-        if (block_job_has_bdrv(job, blk_bs(blk))) {
+    do {
+        job = block_job_next_locked(NULL);
+        while (job && (job->job.cancelled ||
+                       job->job.deferred_to_main_loop ||
+                       !block_job_has_bdrv(job, blk_bs(blk))))
+        {
+            job = block_job_next_locked(job);
+        }
+        if (job) {
+            /*
+             * This drops the job lock temporarily and polls, so we need to
+             * restart processing the list from the start after this.
+             */
             job_cancel_locked(&job->job, false);
         }
-    }
+    } while (job);
 
     dinfo->auto_del = 1;
 }
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v7.2.3 03/30] acpi: pcihp: allow repeating hot-unplug requests, (continued)
- [PATCH v7.2.3 03/30] acpi: pcihp: allow repeating hot-unplug requests, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 08/30] hw/arm/boot: Make write_bootloader() public as arm_write_bootloader(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 07/30] hw/net/msf2-emac: Don't modify descriptor in-place in emac_store_desc(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 10/30] hw/arm/raspi: Use arm_write_bootloader() to write boot code, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 09/30] hw/arm/aspeed: Use arm_write_bootloader() to write the bootloader, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 11/30] hw/intc/allwinner-a10-pic: Don't use set_bit()/clear_bit(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 12/30] target/arm: Define and use new load_cpu_field_low32(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 13/30] hw/sd/allwinner-sdhost: Correctly byteswap descriptor fields, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 14/30] hw/net/allwinner-sun8i-emac: Correctly byteswap descriptor fields, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 19/30] accel/tcg: Fix atomic_mmu_lookup for reads, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 17/30] block: Fix use after free in blockdev_mark_auto_del(), Michael Tokarev <=
- [PATCH v7.2.3 16/30] meson: leave unnecessary modules out of the build, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 18/30] target/riscv: Fix itrigger when icount is used, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 22/30] tcg: ppc64: Fix mask generation for vextractdm, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 20/30] ui: Fix pixel colour channel order for PNG screenshots, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 24/30] virtio: fix reachable assertion due to stale value of cached region size, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 15/30] softfloat: Fix the incorrect computation in float32_exp2, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 21/30] async: Suppress GCC13 false positive in aio_bh_poll(), Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 23/30] hw/virtio/vhost-user: avoid using unitialized errp, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 26/30] target/s390x: Fix EXECUTE of relative branches, Michael Tokarev, 2023/05/17
- [PATCH v7.2.3 25/30] block/monitor: Fix crash when executing HMP commit, Michael Tokarev, 2023/05/17

Prev by Date: [PATCH v7.2.3 19/30] accel/tcg: Fix atomic_mmu_lookup for reads
Next by Date: [PATCH v7.2.3 16/30] meson: leave unnecessary modules out of the build
Previous by thread: [PATCH v7.2.3 19/30] accel/tcg: Fix atomic_mmu_lookup for reads
Next by thread: [PATCH v7.2.3 16/30] meson: leave unnecessary modules out of the build
Index(es):
- Date
- Thread