qemu/block
Max Reitz 7a25fcd056 block/mirror: Fix use-after-free
If @bs does not have any parents, the only reference to @mirror_top_bs
will be held by the BlockJob object after the bdrv_unref() following
block_job_create(). However, if block_job_create() fails, this reference
will not exist and @mirror_top_bs will have been deleted when we
goto fail.

The issue comes back at all later entries to the fail label: We delete
the BlockJob object before rolling back our changes to the node graph.
This means that we will delete @mirror_top_bs in the process.

All in all, whenever @bs does not have any parents and we go down the
fail path we will dereference @mirror_top_bs after it has been deleted.

Fix this by invoking bdrv_unref() only when block_job_create() was
successful and by bdrv_ref()'ing @mirror_top_bs in the fail path before
deleting the BlockJob object. Finally, bdrv_unref() it at the end of the
fail path after we actually no longer need it.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2017-04-07 14:44:05 +02:00
..
accounting.c block: Clean up includes 2016-01-20 13:36:23 +01:00
backup.c backup: React to bdrv_is_allocated() errors 2017-03-13 12:49:33 +01:00
blkdebug.c block: Request child permissions in filter drivers 2017-02-28 20:40:36 +01:00
blkreplay.c block: Request child permissions in filter drivers 2017-02-28 20:40:36 +01:00
blkverify.c block: Request child permissions in filter drivers 2017-02-28 20:40:36 +01:00
block-backend.c block: Ignore guest dev permissions during incoming migration 2017-04-07 14:44:05 +02:00
bochs.c block: Request child permissions in format drivers 2017-02-28 20:40:36 +01:00
cloop.c block: Request child permissions in format drivers 2017-02-28 20:40:36 +01:00
commit.c commit: Set commit_top_bs->total_sectors 2017-04-07 14:44:05 +02:00
crypto.c block: Request child permissions in format drivers 2017-02-28 20:40:36 +01:00
curl.c block/curl: Check protocol prefix 2017-03-31 15:53:22 -04:00
dirty-bitmap.c block: More operations for meta dirty bitmap 2016-10-24 17:56:07 +02:00
dmg-bz2.c dmg: Move libbz2 code to dmg-bz2.so 2016-10-07 14:14:06 +02:00
dmg.c block: Request child permissions in format drivers 2017-02-28 20:40:36 +01:00
dmg.h dmg: Move libbz2 code to dmg-bz2.so 2016-10-07 14:14:06 +02:00
file-posix.c block: Document -drive problematic code and bugs 2017-04-03 17:11:39 +02:00
file-win32.c block: Rename raw-{posix,win32} to file-*.c 2017-01-09 13:30:53 +01:00
gluster.c qapi-schema: SocketAddressFlat variants 'vsock' and 'fd' 2017-04-03 17:11:39 +02:00
io.c block: Request block status from *file for BDRV_BLOCK_RAW 2017-03-13 12:49:33 +01:00
iscsi-opts.c block/iscsi: statically link qemu_iscsi_opts 2017-01-27 18:07:58 +01:00
iscsi.c iscsi: drop unused IscsiAIOCB.qiov field 2017-04-02 21:17:47 +02:00
linux-aio.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
Makefile.objs block: Drop unmaintained 'archipelago' driver 2017-03-13 12:49:33 +01:00
mirror.c block/mirror: Fix use-after-free 2017-04-07 14:44:05 +02:00
nbd-client.c nbd-client: fix handling of hungup connections 2017-03-27 16:50:36 +02:00
nbd-client.h nbd: drop unused NBDClientSession.is_unix field 2017-03-27 14:41:01 +02:00
nbd.c * MemoryRegionCache revert 2017-04-04 11:40:55 +01:00
nfs.c block: Document -drive problematic code and bugs 2017-04-03 17:11:39 +02:00
null.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
parallels.c block/parallels: Avoid overflows 2017-04-03 17:11:40 +02:00
qapi.c block: Don't bother asserting type of output visitor's output 2017-02-22 19:52:20 +01:00
qcow2-cache.c qcow2: Remove stale comment 2016-11-25 13:51:30 +01:00
qcow2-cluster.c qcow2: Discard unaligned tail when wiping image 2017-04-03 17:11:40 +02:00
qcow2-refcount.c block: Pass BdrvChild to bdrv_truncate() 2017-02-24 16:09:23 +01:00
qcow2-snapshot.c block: Convert bdrv_pwrite(v/_sync) to BdrvChild 2016-07-05 16:46:27 +02:00
qcow2.c block: Add BDRV_O_RESIZE for blk_new_open() 2017-02-28 20:40:36 +01:00
qcow2.h qcow2: Optimize the refcount-block overlap check 2017-02-12 00:47:43 +01:00
qcow.c block: Add BDRV_O_RESIZE for blk_new_open() 2017-02-28 20:40:36 +01:00
qed-check.c qed: Use DIV_ROUND_UP 2016-06-07 18:19:24 +03:00
qed-cluster.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
qed-gencb.c block: Clean up includes 2016-01-20 13:36:23 +01:00
qed-l2-cache.c block: Clean up includes 2016-01-20 13:36:23 +01:00
qed-table.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
qed.c block: Add BDRV_O_RESIZE for blk_new_open() 2017-02-28 20:40:36 +01:00
qed.h block: explicitly acquire aiocontext in timers that need it 2017-02-21 11:14:08 +00:00
quorum.c block: Request child permissions in filter drivers 2017-02-28 20:40:36 +01:00
raw-format.c block: Request child permissions in filter drivers 2017-02-28 20:40:36 +01:00
rbd.c block: Document -drive problematic code and bugs 2017-04-03 17:11:39 +02:00
replication.c replication: clarify permissions 2017-03-17 12:54:06 +01:00
sheepdog.c sheepdog: Fix blockdev-add 2017-04-03 17:11:39 +02:00
snapshot.c error: Remove NULL checks on error_propagate() calls 2016-06-20 16:38:13 +02:00
ssh.c block: Document -drive problematic code and bugs 2017-04-03 17:11:39 +02:00
stream.c block: Add Error parameter to bdrv_set_backing_hd() 2017-02-28 20:47:51 +01:00
throttle-groups.c coroutine-lock: add mutex argument to CoQueue APIs 2017-02-21 11:39:40 +00:00
trace-events trace: clean up trace-events files 2017-01-31 17:12:15 +00:00
vdi.c block: Add BDRV_O_RESIZE for blk_new_open() 2017-02-28 20:40:36 +01:00
vhdx-endian.c vhdx: Use QEMU UUID API 2016-09-23 11:42:52 +08:00
vhdx-log.c block: Pass BdrvChild to bdrv_truncate() 2017-02-24 16:09:23 +01:00
vhdx.c block: Add BDRV_O_RESIZE for blk_new_open() 2017-02-28 20:40:36 +01:00
vhdx.h block: vhdx - update PAYLOAD_BLOCK_UNMAPPED value to match 1.00 spec 2014-12-12 15:42:22 +00:00
vmdk.c block: Add BDRV_O_RESIZE for blk_new_open() 2017-02-28 20:40:36 +01:00
vpc.c block: Add BDRV_O_RESIZE for blk_new_open() 2017-02-28 20:40:36 +01:00
vvfat.c vvfat: React to bdrv_is_allocated() errors 2017-03-13 12:49:33 +01:00
win32-aio.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
write-threshold.c block: use bdrv_add_before_write_notifier 2016-10-07 13:34:07 +02:00