block: Fix use after free in blockdev_mark_auto_del() - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Kevin Wolf <kwolf@redhat.com>	2023-05-03 16:01:42 +0200
committer	Kevin Wolf <kwolf@redhat.com>	2023-05-10 14:16:35 +0200
commit	e2626874a32602d4e52971c786ef5ffb4430629d (patch)
tree	0e7531062aa0b37161318422918325c298c4bdf9 /scripts/qapi/parser.py
parent	3edf660a9155848d1d7bc6ad2586ceb0285105e3 (diff)
download	focaccia-qemu-e2626874a32602d4e52971c786ef5ffb4430629d.tar.gz focaccia-qemu-e2626874a32602d4e52971c786ef5ffb4430629d.zip

block: Fix use after free in blockdev_mark_auto_del()

job_cancel_locked() drops the job list lock temporarily and it may call
aio_poll(). We must assume that the list has changed after this call.
Also, with unlucky timing, it can end up freeing the job during
job_completed_txn_abort_locked(), making the job pointer invalid, too.

For both reasons, we can't just continue at block_job_next_locked(job).
Instead, start at the head of the list again after job_cancel_locked()
and skip those jobs that we already cancelled (or that are completing
anyway).

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20230503140142.474404-1-kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

Diffstat (limited to 'scripts/qapi/parser.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: