From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:39632) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R9bHT-0008Bl-FE for qemu-devel@nongnu.org; Fri, 30 Sep 2011 07:29:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1R9bHS-0000u1-7a for qemu-devel@nongnu.org; Fri, 30 Sep 2011 07:29:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59565) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R9bHR-0000tt-Qy for qemu-devel@nongnu.org; Fri, 30 Sep 2011 07:29:26 -0400 Date: Fri, 30 Sep 2011 16:57:59 +0530 From: Amit Shah Message-ID: <20110930112759.GI21901@amit-x200.redhat.com> References: <1317379151-11557-1-git-send-email-stefanha@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1317379151-11557-1-git-send-email-stefanha@linux.vnet.ibm.com> Subject: Re: [Qemu-devel] [PATCH] qed: fix use-after-free during l2 cache commit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: Anthony Liguori , qemu-devel@nongnu.org On (Fri) 30 Sep 2011 [11:39:11], Stefan Hajnoczi wrote: > QED's metadata caching strategy allows two parallel requests to race for > metadata lookup. The first one to complete will populate the metadata > cache and the second one will drop the data it just read in favor of the > cached data. > > There is a use-after-free in qed_read_l2_table_cb() and > qed_commit_l2_update() where l2_table->offset was used after the > l2_table may have been freed due to a metadata lookup race. Fix this by > keeping the l2_offset in a local variable and not reaching into the > possibly freed l2_table. > > Reported-by: Amit Shah > Signed-off-by: Stefan Hajnoczi > --- > Hi Amit, > Thanks for reporting the assertion failure you saw at http://fpaste.org/CDuv/. > Does this patch fix the problem? Yes, this fixes it. Thanks, Amit