Re: [PATCH 1/2] block: bdrv_set_backing_bs: fix use-after-free

2020-03-16 Thread John Snow
On 3/16/20 4:47 AM, Philippe Mathieu-Daudé wrote: > On 3/16/20 7:06 AM, Vladimir Sementsov-Ogievskiy wrote: >> There is a use-after-free possible: bdrv_unref_child() leaves >> bs->backing freed but not NULL. bdrv_attach_child may produce nested >> polling loop due to drain, than access of freed

Re: [PATCH 1/2] block: bdrv_set_backing_bs: fix use-after-free

2020-03-16 Thread Philippe Mathieu-Daudé
On 3/16/20 7:06 AM, Vladimir Sementsov-Ogievskiy wrote: There is a use-after-free possible: bdrv_unref_child() leaves bs->backing freed but not NULL. bdrv_attach_child may produce nested polling loop due to drain, than access of freed pointer is possible. I've produced the following crash on 30

[PATCH 1/2] block: bdrv_set_backing_bs: fix use-after-free

2020-03-16 Thread Vladimir Sementsov-Ogievskiy
There is a use-after-free possible: bdrv_unref_child() leaves bs->backing freed but not NULL. bdrv_attach_child may produce nested polling loop due to drain, than access of freed pointer is possible. I've produced the following crash on 30 iotest with modified code. It does not reproduce on