Hi all! I faced use-after-free of bs->backing pointer after bdrv_unref_child in bdrv_set_backing_hd.
Fix it, and do similar thing for s->data_file in qcow2.c. I'm not sure that this is the full fix. Is it safe to keep bs->backing during bdrv_unref_child itself? Is it safe to keep bs->backing during all-child-unref loop in bdrv_close? Vladimir Sementsov-Ogievskiy (2): block: bdrv_set_backing_bs: fix use-after-free block/qcow2: zero data_file child after free block.c | 2 +- block/qcow2.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) -- 2.21.0
