Am 09.02.2020 um 18:51 hat Hikaru Nishida geschrieben: > Before this commit, BDRVVVFATState.qcow is unrefed in write_target_close > on closing backing bdrv of vvfat. However, qcow bdrv is opend as a child > of vvfat in enable_write_target() so it will be also unrefed on closing > vvfat itself. This causes use-after-free of qcow on freeing vvfat which > has backing bdrv and qcow bdrv as children in this order because > bdrv_close(vvfat) tries to free qcow bdrv after freeing backing bdrv > as QLIST_FOREACH_SAFE() loop keeps next pointer, but BdrvChild of qcow > is already freed in bdrv_close(backing bdrv). > > Signed-off-by: Hikaru Nishida <hikaru...@gmail.com>
Thanks, applied to the block branch. Kevin