| commit | 19ebd13ed45ad5d5f277f5914d55b83f13eb09eb | |
| author | Kevin Wolf <kwolf@redhat.com> | |
| Fri, 2 Jun 2017 21:04:55 +0000 (2 23:04 +0200) | ||
| committer | Kevin Wolf <kwolf@redhat.com> | |
| Fri, 9 Jun 2017 11:46:13 +0000 (9 13:46 +0200) | ||
| tree | ee37d5d3330a0e7824b4fd5aa377d0a6c92b6d30 | treesnapshot (tar.gz zip) |
| parent | 49695eeb7485f1c45c288e741ae6b939c7bfb2a6 | commitdiff |
commit: Fix use after free in completion
The final bdrv_set_backing_hd() could be working on already freed nodes
because the commit job drops its references (through BlockBackends) to
both overlay_bs and top already a bit earlier.
One way to trigger the bug is hot unplugging a disk for which
blockdev_mark_auto_del() cancels the block job.
Fix this by taking BDS-level references while we're still using the
nodes.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
The final bdrv_set_backing_hd() could be working on already freed nodes
because the commit job drops its references (through BlockBackends) to
both overlay_bs and top already a bit earlier.
One way to trigger the bug is hot unplugging a disk for which
blockdev_mark_auto_del() cancels the block job.
Fix this by taking BDS-level references while we're still using the
nodes.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
| block/commit.c | diffblobblamehistory |