|
 |
1bdc94 |
From 24f8fe9543b18cc484fc43ac1bf5bd7780656fbd Mon Sep 17 00:00:00 2001
|
|
|
1bdc94 |
From: Kevin Wolf <kwolf@redhat.com>
|
|
|
1bdc94 |
Date: Fri, 14 Sep 2018 10:55:35 +0200
|
|
|
1bdc94 |
Subject: [PATCH 44/49] mirror: Fix potential use-after-free in active commit
|
|
|
1bdc94 |
|
|
|
1bdc94 |
RH-Author: Kevin Wolf <kwolf@redhat.com>
|
|
|
1bdc94 |
Message-id: <20180914105540.18077-38-kwolf@redhat.com>
|
|
|
1bdc94 |
Patchwork-id: 82188
|
|
|
1bdc94 |
O-Subject: [RHV-7.6 qemu-kvm-rhev PATCH 37/42] mirror: Fix potential use-after-free in active commit
|
|
|
1bdc94 |
Bugzilla: 1601212
|
|
|
1bdc94 |
RH-Acked-by: John Snow <jsnow@redhat.com>
|
|
|
1bdc94 |
RH-Acked-by: Max Reitz <mreitz@redhat.com>
|
|
|
1bdc94 |
RH-Acked-by: Fam Zheng <famz@redhat.com>
|
|
|
1bdc94 |
|
|
|
1bdc94 |
When starting an active commit job, other callbacks can run before
|
|
|
1bdc94 |
mirror_start_job() calls bdrv_ref() where needed and cause the nodes to
|
|
|
1bdc94 |
go away. Add another pair of bdrv_ref/unref() around it to protect
|
|
|
1bdc94 |
against this case.
|
|
|
1bdc94 |
|
|
|
1bdc94 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
1bdc94 |
Reviewed-by: Max Reitz <mreitz@redhat.com>
|
|
|
1bdc94 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
1bdc94 |
---
|
|
|
1bdc94 |
block/mirror.c | 11 +++++++++++
|
|
|
1bdc94 |
1 file changed, 11 insertions(+)
|
|
|
1bdc94 |
|
|
|
1bdc94 |
diff --git a/block/mirror.c b/block/mirror.c
|
|
|
1bdc94 |
index 4b27f71..8658873 100644
|
|
|
1bdc94 |
--- a/block/mirror.c
|
|
|
1bdc94 |
+++ b/block/mirror.c
|
|
|
1bdc94 |
@@ -1335,7 +1335,14 @@ void commit_active_start(const char *job_id, BlockDriverState *bs,
|
|
|
1bdc94 |
|
|
|
1bdc94 |
orig_base_flags = bdrv_get_flags(base);
|
|
|
1bdc94 |
|
|
|
1bdc94 |
+ /* bdrv_reopen() drains, which might make the BDSes go away before a
|
|
|
1bdc94 |
+ * reference is taken in mirror_start_job(). */
|
|
|
1bdc94 |
+ bdrv_ref(bs);
|
|
|
1bdc94 |
+ bdrv_ref(base);
|
|
|
1bdc94 |
+
|
|
|
1bdc94 |
if (bdrv_reopen(base, bs->open_flags, errp)) {
|
|
|
1bdc94 |
+ bdrv_unref(bs);
|
|
|
1bdc94 |
+ bdrv_unref(base);
|
|
|
1bdc94 |
return;
|
|
|
1bdc94 |
}
|
|
|
1bdc94 |
|
|
|
1bdc94 |
@@ -1344,6 +1351,10 @@ void commit_active_start(const char *job_id, BlockDriverState *bs,
|
|
|
1bdc94 |
on_error, on_error, true, cb, opaque,
|
|
|
1bdc94 |
&commit_active_job_driver, false, base, auto_complete,
|
|
|
1bdc94 |
filter_node_name, false, &local_err);
|
|
|
1bdc94 |
+
|
|
|
1bdc94 |
+ bdrv_unref(bs);
|
|
|
1bdc94 |
+ bdrv_unref(base);
|
|
|
1bdc94 |
+
|
|
|
1bdc94 |
if (local_err) {
|
|
|
1bdc94 |
error_propagate(errp, local_err);
|
|
|
1bdc94 |
goto error_restore_flags;
|
|
|
1bdc94 |
--
|
|
|
1bdc94 |
1.8.3.1
|
|
|
1bdc94 |
|