[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-block] [PULL 20/42] block: Fix use after free error in bdrv_open_i
From: |
Max Reitz |
Subject: |
[Qemu-block] [PULL 20/42] block: Fix use after free error in bdrv_open_inherit() |
Date: |
Tue, 25 Sep 2018 17:15:19 +0200 |
From: Alberto Garcia <address@hidden>
When a block device is opened with BDRV_O_SNAPSHOT and the
bdrv_append_temp_snapshot() call fails then the error code path tries
to unref the already destroyed 'options' QDict.
This can be reproduced easily by setting TMPDIR to a location where
the QEMU process can't write:
$ TMPDIR=/nonexistent $QEMU -drive driver=null-co,snapshot=on
Signed-off-by: Alberto Garcia <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
---
block.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block.c b/block.c
index 0dbb1fcc7b..a381c8ece8 100644
--- a/block.c
+++ b/block.c
@@ -2792,6 +2792,7 @@ static BlockDriverState *bdrv_open_inherit(const char
*filename,
bdrv_parent_cb_change_media(bs, true);
qobject_unref(options);
+ options = NULL;
/* For snapshot=on, create a temporary qcow2 overlay. bs points to the
* temporary snapshot afterwards. */
--
2.17.1
- [Qemu-block] [PULL 09/42] tests/test-blockjob: remove exit callback, (continued)
- [Qemu-block] [PULL 09/42] tests/test-blockjob: remove exit callback, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 12/42] qapi/block-commit: expose new job properties, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 11/42] jobs: remove .exit callback, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 16/42] blockdev: document transactional shortcomings, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 13/42] qapi/block-mirror: expose new job properties, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 15/42] block/backup: qapi documentation fixup, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 14/42] qapi/block-stream: expose new job properties, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 19/42] block/linux-aio: acquire AioContext before qemu_laio_process_completions, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 17/42] commit: Add top-node/base-node options, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 18/42] qemu-iotests: Test commit with top-node/base-node, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 20/42] block: Fix use after free error in bdrv_open_inherit(),
Max Reitz <=
- [Qemu-block] [PULL 21/42] qemu-iotests: Test snapshot=on with nonexistent TMPDIR, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 22/42] util/async: use qemu_aio_coroutine_enter in co_schedule_bh_cb, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 25/42] blockjob: Wake up BDS when job becomes idle, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 24/42] job: Fix missing locking due to mismerge, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 23/42] job: Fix nested aio_poll() hanging in job_txn_apply, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 26/42] aio-wait: Increase num_waiters even in home thread, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 27/42] test-bdrv-drain: Drain with block jobs in an I/O thread, Max Reitz, 2018/09/25
- [Qemu-block] [PULL 28/42] test-blockjob: Acquire AioContext around job_cancel_sync(), Max Reitz, 2018/09/25
- [Qemu-block] [PULL 29/42] job: Use AIO_WAIT_WHILE() in job_finish_sync(), Max Reitz, 2018/09/25
- [Qemu-block] [PULL 30/42] test-bdrv-drain: Test AIO_WAIT_WHILE() in completion callback, Max Reitz, 2018/09/25