Re: [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion

2017-07-10 Thread Kevin Wolf
Am 09.07.2017 um 19:09 hat Peter Maydell geschrieben: > On 13 June 2017 at 17:46, Kevin Wolf wrote: > > Am 13.06.2017 um 18:12 hat Peter Maydell geschrieben: > >> On 7 June 2017 at 18:50, Kevin Wolf wrote: > >> > diff --git a/block/commit.c b/block/commit.c >

Re: [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion

2017-07-09 Thread Peter Maydell
On 13 June 2017 at 17:46, Kevin Wolf wrote: > Am 13.06.2017 um 18:12 hat Peter Maydell geschrieben: >> On 7 June 2017 at 18:50, Kevin Wolf wrote: >> > diff --git a/block/commit.c b/block/commit.c >> > index a3028b2..af6fa68 100644 >> > --- a/block/commit.c >>

Re: [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion

2017-06-13 Thread Kevin Wolf
Am 13.06.2017 um 18:12 hat Peter Maydell geschrieben: > On 7 June 2017 at 18:50, Kevin Wolf wrote: > > diff --git a/block/commit.c b/block/commit.c > > index a3028b2..af6fa68 100644 > > --- a/block/commit.c > > +++ b/block/commit.c > > @@ -89,6 +89,10 @@ static void

Re: [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion

2017-06-13 Thread Peter Maydell
On 7 June 2017 at 18:50, Kevin Wolf wrote: > The final bdrv_set_backing_hd() could be working on already freed nodes > because the commit job drops its references (through BlockBackends) to > both overlay_bs and top already a bit earlier. > > One way to trigger the bug is hot

[Qemu-devel] [PULL 5/8] commit: Fix use after free in completion

2017-06-07 Thread Kevin Wolf
The final bdrv_set_backing_hd() could be working on already freed nodes because the commit job drops its references (through BlockBackends) to both overlay_bs and top already a bit earlier. One way to trigger the bug is hot unplugging a disk for which blockdev_mark_auto_del() cancels the block