Re: [Qemu-devel] [PATCH 11/14] mirror: Fix potential use-after-free in active commit

2018-09-11 Thread Kevin Wolf 
Am 11.09.2018 um 10:31 hat Fam Zheng geschrieben:
> On Fri, 09/07 18:15, Kevin Wolf wrote:
> > When starting an active commit job, other callbacks can run before
> > mirror_start_job() calls bdrv_ref() where needed and cause the nodes to
> > go away. Add another pair of bdrv_ref/unref() around it to protect
> > against this case.
> > 
> > Signed-off-by: Kevin Wolf 
> > ---
> >  block/mirror.c | 9 +
> >  1 file changed, 9 insertions(+)
> > 
> > diff --git a/block/mirror.c b/block/mirror.c
> > index 6cc10df5c9..c42999eadf 100644
> > --- a/block/mirror.c
> > +++ b/block/mirror.c
> > @@ -1679,6 +1679,11 @@ void commit_active_start(const char *job_id, 
> > BlockDriverState *bs,
> >  
> >  orig_base_flags = bdrv_get_flags(base);
> >  
> > +/* bdrv_reopen() drains, which might make the BDSes go away before a
> > + * reference is taken in mirror_start_job(). */
> > +bdrv_ref(bs);
> > +bdrv_ref(base);
> > +
> >  if (bdrv_reopen(base, bs->open_flags, errp)) {
> 
> Doesn't it need bdrv_unref's in this branch?

Yes, of course. Thanks for catching this!

Kevin

Re: [Qemu-devel] [PATCH 11/14] mirror: Fix potential use-after-free in active commit

2018-09-11 Thread Fam Zheng 
On Fri, 09/07 18:15, Kevin Wolf wrote:
> When starting an active commit job, other callbacks can run before
> mirror_start_job() calls bdrv_ref() where needed and cause the nodes to
> go away. Add another pair of bdrv_ref/unref() around it to protect
> against this case.
> 
> Signed-off-by: Kevin Wolf 
> ---
>  block/mirror.c | 9 +
>  1 file changed, 9 insertions(+)
> 
> diff --git a/block/mirror.c b/block/mirror.c
> index 6cc10df5c9..c42999eadf 100644
> --- a/block/mirror.c
> +++ b/block/mirror.c
> @@ -1679,6 +1679,11 @@ void commit_active_start(const char *job_id, 
> BlockDriverState *bs,
>  
>  orig_base_flags = bdrv_get_flags(base);
>  
> +/* bdrv_reopen() drains, which might make the BDSes go away before a
> + * reference is taken in mirror_start_job(). */
> +bdrv_ref(bs);
> +bdrv_ref(base);
> +
>  if (bdrv_reopen(base, bs->open_flags, errp)) {

Doesn't it need bdrv_unref's in this branch?

>  return;
>  }
> @@ -1689,6 +1694,10 @@ void commit_active_start(const char *job_id, 
> BlockDriverState *bs,
>   _active_job_driver, false, base, auto_complete,
>   filter_node_name, false, MIRROR_COPY_MODE_BACKGROUND,
>   _err);
> +
> +bdrv_unref(bs);
> +bdrv_unref(base);
> +
>  if (local_err) {
>  error_propagate(errp, local_err);
>  goto error_restore_flags;
> -- 
> 2.13.6
>

[Qemu-devel] [PATCH 11/14] mirror: Fix potential use-after-free in active commit

2018-09-07 Thread Kevin Wolf 
When starting an active commit job, other callbacks can run before
mirror_start_job() calls bdrv_ref() where needed and cause the nodes to
go away. Add another pair of bdrv_ref/unref() around it to protect
against this case.

Signed-off-by: Kevin Wolf 
---
 block/mirror.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/block/mirror.c b/block/mirror.c
index 6cc10df5c9..c42999eadf 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1679,6 +1679,11 @@ void commit_active_start(const char *job_id, 
BlockDriverState *bs,
 
 orig_base_flags = bdrv_get_flags(base);
 
+/* bdrv_reopen() drains, which might make the BDSes go away before a
+ * reference is taken in mirror_start_job(). */
+bdrv_ref(bs);
+bdrv_ref(base);
+
 if (bdrv_reopen(base, bs->open_flags, errp)) {
 return;
 }
@@ -1689,6 +1694,10 @@ void commit_active_start(const char *job_id, 
BlockDriverState *bs,
  _active_job_driver, false, base, auto_complete,
  filter_node_name, false, MIRROR_COPY_MODE_BACKGROUND,
  _err);
+
+bdrv_unref(bs);
+bdrv_unref(base);
+
 if (local_err) {
 error_propagate(errp, local_err);
 goto error_restore_flags;
-- 
2.13.6