From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, peter.maydell@linaro.org, qemu-devel@nongnu.org
Subject: [PULL 04/36] block/vvfat: Do not unref qcow on closing backing bdrv
Date: Tue, 18 Feb 2020 15:06:50 +0100 [thread overview]
Message-ID: <20200218140722.23876-5-kwolf@redhat.com> (raw)
In-Reply-To: <20200218140722.23876-1-kwolf@redhat.com>
From: Hikaru Nishida <hikarupsp@gmail.com>
Before this commit, BDRVVVFATState.qcow is unrefed in write_target_close
on closing backing bdrv of vvfat. However, qcow bdrv is opend as a child
of vvfat in enable_write_target() so it will be also unrefed on closing
vvfat itself. This causes use-after-free of qcow on freeing vvfat which
has backing bdrv and qcow bdrv as children in this order because
bdrv_close(vvfat) tries to free qcow bdrv after freeing backing bdrv
as QLIST_FOREACH_SAFE() loop keeps next pointer, but BdrvChild of qcow
is already freed in bdrv_close(backing bdrv).
Signed-off-by: Hikaru Nishida <hikarupsp@gmail.com>
Message-Id: <20200209175156.85748-1-hikarupsp@gmail.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/vvfat.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/block/vvfat.c b/block/vvfat.c
index 019b8f1341..ab800c4887 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -3124,17 +3124,10 @@ write_target_commit(BlockDriverState *bs, uint64_t offset, uint64_t bytes,
return ret;
}
-static void write_target_close(BlockDriverState *bs) {
- BDRVVVFATState* s = *((BDRVVVFATState**) bs->opaque);
- bdrv_unref_child(s->bs, s->qcow);
- g_free(s->qcow_filename);
-}
-
static BlockDriver vvfat_write_target = {
.format_name = "vvfat_write_target",
.instance_size = sizeof(void*),
.bdrv_co_pwritev = write_target_commit,
- .bdrv_close = write_target_close,
};
static void vvfat_qcow_options(int *child_flags, QDict *child_options,
--
2.20.1
next prev parent reply other threads:[~2020-02-18 14:09 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-18 14:06 [PULL 00/36] Block layer patches Kevin Wolf
2020-02-18 14:06 ` [PULL 01/36] mirror: Store MirrorOp.co for debuggability Kevin Wolf
2020-02-18 14:06 ` [PULL 02/36] mirror: Don't let an operation wait for itself Kevin Wolf
2020-02-18 14:06 ` [PULL 03/36] qcow2: Fix alignment checks in encrypted images Kevin Wolf
2020-02-18 14:06 ` Kevin Wolf [this message]
2020-02-18 14:06 ` [PULL 05/36] qcow2: update_refcount(): Reset old_table_index after qcow2_cache_put() Kevin Wolf
2020-02-18 14:06 ` [PULL 06/36] qcow2: Fix qcow2_alloc_cluster_abort() for external data file Kevin Wolf
2020-02-18 14:06 ` [PULL 07/36] iotests: Test copy offloading with " Kevin Wolf
2020-02-18 14:06 ` [PULL 08/36] block/qcow2-bitmap: Remove unneeded variable assignment Kevin Wolf
2020-02-18 14:06 ` [PULL 09/36] qapi: Document meaning of 'ignore' BlockdevOnError for jobs Kevin Wolf
2020-02-18 14:06 ` [PULL 10/36] commit: Remove unused bytes_written Kevin Wolf
2020-02-18 14:06 ` [PULL 11/36] commit: Fix argument order for block_job_error_action() Kevin Wolf
2020-02-18 14:06 ` [PULL 12/36] commit: Inline commit_populate() Kevin Wolf
2020-02-18 14:06 ` [PULL 13/36] commit: Fix is_read for block_job_error_action() Kevin Wolf
2020-02-18 14:07 ` [PULL 14/36] commit: Expose on-error option in QMP Kevin Wolf
2020-02-18 14:07 ` [PULL 15/36] iotests: Test error handling policies with block-commit Kevin Wolf
2020-02-18 14:07 ` [PULL 16/36] block: Remove superfluous semicolons Kevin Wolf
2020-02-18 14:07 ` [PULL 17/36] block/io_uring: Remove superfluous semicolon Kevin Wolf
2020-02-18 14:07 ` [PULL 18/36] blockdev: Allow external snapshots everywhere Kevin Wolf
2020-02-18 14:07 ` [PULL 19/36] blockdev: Allow resizing everywhere Kevin Wolf
2020-02-18 14:07 ` [PULL 20/36] block: Drop bdrv_is_first_non_filter() Kevin Wolf
2020-02-18 14:07 ` [PULL 21/36] iotests: Let 041 use -blockdev for quorum children Kevin Wolf
2020-02-18 14:07 ` [PULL 22/36] quorum: Fix child permissions Kevin Wolf
2020-02-18 14:07 ` [PULL 23/36] block: Add bdrv_recurse_can_replace() Kevin Wolf
2020-02-18 14:07 ` [PULL 24/36] blkverify: Implement .bdrv_recurse_can_replace() Kevin Wolf
2020-02-18 14:07 ` [PULL 25/36] quorum: " Kevin Wolf
2020-02-18 14:07 ` [PULL 26/36] block: Use bdrv_recurse_can_replace() Kevin Wolf
2020-02-18 14:07 ` [PULL 27/36] block: Remove bdrv_recurse_is_first_non_filter() Kevin Wolf
2020-02-18 14:07 ` [PULL 28/36] mirror: Double-check immediately before replacing Kevin Wolf
2020-02-18 14:07 ` [PULL 29/36] quorum: Stop marking it as a filter Kevin Wolf
2020-02-18 14:07 ` [PULL 30/36] iotests: Use complete_and_wait() in 155 Kevin Wolf
2020-02-18 14:07 ` [PULL 31/36] iotests: Add VM.assert_block_path() Kevin Wolf
2020-02-18 14:07 ` [PULL 32/36] iotests/041: Drop superfluous shutdowns Kevin Wolf
2020-02-18 14:07 ` [PULL 33/36] iotests: Resolve TODOs in 041 Kevin Wolf
2020-02-18 14:07 ` [PULL 34/36] iotests: Use self.image_len in TestRepairQuorum Kevin Wolf
2020-02-18 14:07 ` [PULL 35/36] iotests: Add tests for invalid Quorum @replaces Kevin Wolf
2020-02-18 14:07 ` [PULL 36/36] iotests: Check that @replaces can replace filters Kevin Wolf
2020-02-20 14:04 ` [PULL 00/36] Block layer patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200218140722.23876-5-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.