Re: [PATCH 0/2] zero pointer after bdrv_unref_child

[Max Reitz]

On 16.03.20 07:06, Vladimir Sementsov-Ogievskiy wrote:
> Hi all!
> 
> I faced use-after-free of bs->backing pointer after bdrv_unref_child in
> bdrv_set_backing_hd.
> 
> Fix it, and do similar thing for s->data_file in qcow2.c.
> 
> I'm not sure that this is the full fix. Is it safe to keep bs->backing
> during bdrv_unref_child itself? Is it safe to keep bs->backing during
> all-child-unref loop in bdrv_close?
> 
> 
> Vladimir Sementsov-Ogievskiy (2):
>   block: bdrv_set_backing_bs: fix use-after-free
>   block/qcow2: zero data_file child after free

Thanks, applied to my block branch:

https://git.xanclic.moe/XanClic/qemu/commits/branch/block

Max



signature.asc
Description: OpenPGP digital signature

[PATCH 0/2] zero pointer after bdrv_unref_child

[Vladimir Sementsov-Ogievskiy]

Hi all!

I faced use-after-free of bs->backing pointer after bdrv_unref_child in
bdrv_set_backing_hd.

Fix it, and do similar thing for s->data_file in qcow2.c.

I'm not sure that this is the full fix. Is it safe to keep bs->backing
during bdrv_unref_child itself? Is it safe to keep bs->backing during
all-child-unref loop in bdrv_close?


Vladimir Sementsov-Ogievskiy (2):
  block: bdrv_set_backing_bs: fix use-after-free
  block/qcow2: zero data_file child after free

 block.c   | 2 +-
 block/qcow2.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

-- 
2.21.0