[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 44/69] mirror: Do not dereference invalid pointers
From: |
Max Reitz |
Subject: |
[PULL 44/69] mirror: Do not dereference invalid pointers |
Date: |
Mon, 28 Oct 2019 13:14:36 +0100 |
mirror_exit_common() may be called twice (if it is called from
mirror_prepare() and fails, it will be called from mirror_abort()
again).
In such a case, many of the pointers in the MirrorBlockJob object will
already be freed. This can be seen most reliably for s->target, which
is set to NULL (and then dereferenced by blk_bs()).
Cc: address@hidden
Fixes: 737efc1eda23b904fbe0e66b37715fb0e5c3e58b
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: John Snow <address@hidden>
Reviewed-by: Vladimir Sementsov-Ogievskiy <address@hidden>
Message-id: address@hidden
Signed-off-by: Max Reitz <address@hidden>
---
block/mirror.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/block/mirror.c b/block/mirror.c
index 454365ce00..bb17cfce31 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -620,11 +620,11 @@ static int mirror_exit_common(Job *job)
{
MirrorBlockJob *s = container_of(job, MirrorBlockJob, common.job);
BlockJob *bjob = &s->common;
- MirrorBDSOpaque *bs_opaque = s->mirror_top_bs->opaque;
+ MirrorBDSOpaque *bs_opaque;
AioContext *replace_aio_context = NULL;
- BlockDriverState *src = s->mirror_top_bs->backing->bs;
- BlockDriverState *target_bs = blk_bs(s->target);
- BlockDriverState *mirror_top_bs = s->mirror_top_bs;
+ BlockDriverState *src;
+ BlockDriverState *target_bs;
+ BlockDriverState *mirror_top_bs;
Error *local_err = NULL;
bool abort = job->ret < 0;
int ret = 0;
@@ -634,6 +634,11 @@ static int mirror_exit_common(Job *job)
}
s->prepared = true;
+ mirror_top_bs = s->mirror_top_bs;
+ bs_opaque = mirror_top_bs->opaque;
+ src = mirror_top_bs->backing->bs;
+ target_bs = blk_bs(s->target);
+
if (bdrv_chain_contains(src, target_bs)) {
bdrv_unfreeze_backing_chain(mirror_top_bs, target_bs);
}
--
2.21.0
- [PULL 34/69] iotests/267: Create socket in $SOCK_DIR, (continued)
- [PULL 34/69] iotests/267: Create socket in $SOCK_DIR, Max Reitz, 2019/10/28
- [PULL 33/69] iotests/240: Create socket in $SOCK_DIR, Max Reitz, 2019/10/28
- [PULL 36/69] block/block-copy: allocate buffer in block_copy_with_bounce_buffer, Max Reitz, 2019/10/28
- [PULL 37/69] block/block-copy: limit copy_range_size to 16 MiB, Max Reitz, 2019/10/28
- [PULL 38/69] block/block-copy: refactor copying, Max Reitz, 2019/10/28
- [PULL 39/69] util: introduce SharedResource, Max Reitz, 2019/10/28
- [PULL 40/69] block/block-copy: add memory limit, Max Reitz, 2019/10/28
- [PULL 41/69] block/block-copy: increase buffered copy request, Max Reitz, 2019/10/28
- [PULL 42/69] block/nvme: add support for write zeros, Max Reitz, 2019/10/28
- [PULL 43/69] block/nvme: add support for discard, Max Reitz, 2019/10/28
- [PULL 44/69] mirror: Do not dereference invalid pointers,
Max Reitz <=
- [PULL 45/69] include: Move endof() up from hw/virtio/virtio.h, Max Reitz, 2019/10/28
- [PULL 46/69] qcow2: Use endof(), Max Reitz, 2019/10/28
- [PULL 49/69] qcow2: Make qcow2_write_snapshots() public, Max Reitz, 2019/10/28
- [PULL 47/69] qcow2: Add Error ** to qcow2_read_snapshots(), Max Reitz, 2019/10/28
- [PULL 51/69] qcow2: Write v3-compliant snapshot list on upgrade, Max Reitz, 2019/10/28
- [PULL 50/69] qcow2: Put qcow2_upgrade() into its own function, Max Reitz, 2019/10/28
- [PULL 53/69] qcow2: Add qcow2_check_fix_snapshot_table(), Max Reitz, 2019/10/28
- [PULL 48/69] qcow2: Keep unknown extra snapshot data, Max Reitz, 2019/10/28
- [PULL 62/69] block/cor: Drop cor_co_truncate(), Max Reitz, 2019/10/28
- [PULL 59/69] iotests: Add peek_file* functions, Max Reitz, 2019/10/28