From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>
Subject: [Qemu-devel] [PATCH 57/79] commit: Fix use after free in completion
Date: Mon, 28 Aug 2017 19:14:32 -0500 [thread overview]
Message-ID: <1503965694-10794-58-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1503965694-10794-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Kevin Wolf <kwolf@redhat.com>
The final bdrv_set_backing_hd() could be working on already freed nodes
because the commit job drops its references (through BlockBackends) to
both overlay_bs and top already a bit earlier.
One way to trigger the bug is hot unplugging a disk for which
blockdev_mark_auto_del() cancels the block job.
Fix this by taking BDS-level references while we're still using the
nodes.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
(cherry picked from commit 19ebd13ed45ad5d5f277f5914d55b83f13eb09eb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
block/commit.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/commit.c b/block/commit.c
index 76a0d98..3bae46e 100644
--- a/block/commit.c
+++ b/block/commit.c
@@ -89,6 +89,10 @@ static void commit_complete(BlockJob *job, void *opaque)
int ret = data->ret;
bool remove_commit_top_bs = false;
+ /* Make sure overlay_bs and top stay around until bdrv_set_backing_hd() */
+ bdrv_ref(top);
+ bdrv_ref(overlay_bs);
+
/* Remove base node parent that still uses BLK_PERM_WRITE/RESIZE before
* the normal backing chain can be restored. */
blk_unref(s->base);
@@ -124,6 +128,9 @@ static void commit_complete(BlockJob *job, void *opaque)
if (remove_commit_top_bs) {
bdrv_set_backing_hd(overlay_bs, top, &error_abort);
}
+
+ bdrv_unref(overlay_bs);
+ bdrv_unref(top);
}
static void coroutine_fn commit_run(void *opaque)
--
2.7.4
next prev parent reply other threads:[~2017-08-29 0:16 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-29 0:13 [Qemu-devel] [PATCH 00/79] Patch Round-up for stable 2.9.1, freeze on 2017-09-04 Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 01/79] qga-win: Enable 'can-offline' field in 'guest-get-vcpus' reply Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 02/79] dirty-bitmap: Report BlockDirtyInfo.count in bytes, as documented Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 03/79] qemu-img/convert: Always set ret < 0 on error Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 04/79] qemu-img/convert: Use @opts for one thing only Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 05/79] qemu-img/convert: Move bs_n > 1 && -B check down Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 06/79] block: An empty filename counts as no filename Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 07/79] iotests/051: Add test for empty filename Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 08/79] migration: setup bi-directional I/O channel for exec: protocol Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 09/79] pci: deassert intx when pci device unrealize Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 10/79] block: Do not unref bs->file on error in BD's open Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 11/79] ACPI: don't call acpi_pcihp_device_plug_cb on xen Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 12/79] replication: Make --disable-replication compile again Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 13/79] 9pfs: local: fix unlink of alien files in mapped-file mode Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 14/79] coccinelle: Add script to remove useless QObject casts Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 15/79] qobject: Drop " Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 16/79] qobject: Add helper macros for common scalar insertions Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 17/79] s390x: Drop useless casts Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 18/79] qobject: Use simpler QDict/QList scalar insertion macros Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 19/79] block: Reuse bs as backing hd for drive-backup sync=none Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 20/79] hw/virtio: fix vhost user fails to startup when MQ Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 21/79] aio: add missing aio_notify() to aio_enable_external() Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 22/79] qemu-img: wait for convert coroutines to complete Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 23/79] block/vhdx: Make vhdx_create() always set errp Michael Roth
2017-08-29 0:13 ` [Qemu-devel] [PATCH 24/79] block: Add errp to b{lk, drv}_truncate() Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 25/79] blockdev: use drained_begin/end for qmp_block_resize Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 26/79] target/xtensa: fix mapping direction in read/write simcalls Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 27/79] target/xtensa: fix return value of " Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 28/79] curl: strengthen assertion in curl_clean_state Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 29/79] curl: never invoke callbacks with s->mutex held Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 30/79] curl: avoid recursive locking of BDRVCURLState mutex Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 31/79] stream: fix crash in stream_start() when block_job_create() fails Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 32/79] vvfat: fix qemu-img map and qemu-img convert Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 33/79] virtio: allow broken device to notify guest Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 34/79] virtio-scsi: Unset hotplug handler when unrealize Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 35/79] e1000e: Fix ICR "Other" causes clear logic Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 36/79] s390x/css: catch section mismatch on load Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 37/79] virtio-net: fix wild pointer when remove virtio-net queues Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 38/79] blkdebug: Sanity check block layer guarantees Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 39/79] blkdebug: Refactor error injection Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 40/79] blkdebug: Add pass-through write_zero and discard support Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 41/79] blkdebug: Simplify override logic Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 42/79] blkdebug: Add ability to override unmap geometries Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 43/79] tests: Add coverage for recent block geometry fixes Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 44/79] block: Simplify BDRV_BLOCK_RAW recursion Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 45/79] block: Guarantee that *file is set on bdrv_get_block_status() Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 46/79] mirror: Drop permissions on s->target on completion Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 47/79] virtio-serial-bus: Unset hotplug handler when unrealize Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 48/79] linuxboot_dma: compile for i486 Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 49/79] tests: check-qom-proplist: add checks for cmdline-created objects Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 50/79] monitor: fix object_del for command-line-created objects Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 51/79] pc: Use "min-[x]level" on compat_props Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 52/79] target/ppc: pass const string to kvmppc_is_mem_backend_page_size_ok() Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 53/79] target/ppc: fix memory leak in kvmppc_is_mem_backend_page_size_ok() Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 54/79] spapr: add pre_plug function for memory Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 55/79] spapr: fix memory leak in spapr_memory_pre_plug() Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 56/79] target/xtensa: handle unknown registers in gdbstub Michael Roth
2017-08-29 0:14 ` Michael Roth [this message]
2017-08-29 0:14 ` [Qemu-devel] [PATCH 58/79] nbd: Fully initialize client in case of failed negotiation Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 59/79] nbd: Fix regression on resiliency to port scan Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 60/79] commit: Fix completion with extra reference Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 61/79] blkdebug: Catch bs->exact_filename overflow Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 62/79] blkverify: " Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 63/79] nbd: fix NBD over TLS Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 64/79] block: Do not strcmp() with NULL uri->scheme Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 65/79] 9pfs: local: remove: use correct path component Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 66/79] hid: Reset kbd modifiers on reset Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 67/79] spapr: fix migration to pseries machine < 2.8 Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 68/79] virtio-scsi: finalize IOMMU support Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 69/79] commit: Add NULL check for overlay_bs Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 70/79] spapr: fix memory leak in spapr_core_pre_plug() Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 71/79] virtio-net: fix offload ctrl endian Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 72/79] input: limit kbd queue depth Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 73/79] input: Decrement queue count on kbd delay Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 74/79] qemu-iotests: Test automatic commit job cancel on hot unplug Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 75/79] block: Skip implicit nodes in query-block/blockstats Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 76/79] cpu: don't allow negative core id Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 77/79] hw/i386: allow SHPC for Q35 machine Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 78/79] block/nfs: fix mutex assertion in nfs_file_close() Michael Roth
2017-08-29 0:14 ` [Qemu-devel] [PATCH 79/79] 9pfs: local: fix fchmodat_nofollow() limitations Michael Roth
2017-08-29 0:47 ` [Qemu-devel] [PATCH 00/79] Patch Round-up for stable 2.9.1, freeze on 2017-09-04 Michael Roth
2017-08-29 2:18 ` Thomas Huth
2017-08-29 7:41 ` Cornelia Huck
2017-08-31 16:42 ` Michael Roth
2017-08-31 17:07 ` Peter Maydell
2017-08-31 18:09 ` Michael Roth
2017-08-29 14:04 ` Cole Robinson
2017-08-31 10:21 ` Peter Maydell
2017-08-31 18:00 ` Michael Roth
2017-09-01 23:22 ` Michael Roth
2017-08-31 18:19 ` [Qemu-devel] [Qemu-stable] " Peter Lieven
2017-09-01 19:03 ` Bruce Rogers
2017-09-04 17:33 ` [Qemu-devel] " Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503965694-10794-58-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.