[PATCH v3 0/2] block-backend: prevent dangling BDS pointers across aio_poll()

Stefan Hajnoczi posted 2 patches 2 years, 2 months ago
Test checkpatch passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20220111153613.25453-1-stefanha@redhat.com
Maintainers: Hanna Reitz <hreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>
block/block-backend.c                         |  19 ++-
.../qemu-iotests/tests/stream-error-on-reset  | 140 ++++++++++++++++++
.../tests/stream-error-on-reset.out           |   5 +
3 files changed, 162 insertions(+), 2 deletions(-)
create mode 100755 tests/qemu-iotests/tests/stream-error-on-reset
create mode 100644 tests/qemu-iotests/tests/stream-error-on-reset.out
[PATCH v3 0/2] block-backend: prevent dangling BDS pointers across aio_poll()
Posted by Stefan Hajnoczi 2 years, 2 months ago
This series fixes use-after-free bugs when blk->root changes across aio_poll().
For example, a temporary filter node can be removed by a blockjob when a
drained section begins. If the caller doesn't hold a ref on the BDS then it
will have been freed.

Hanna Reitz (1):
  iotests/stream-error-on-reset: New test

Stefan Hajnoczi (1):
  block-backend: prevent dangling BDS pointers across aio_poll()

 block/block-backend.c                         |  19 ++-
 .../qemu-iotests/tests/stream-error-on-reset  | 140 ++++++++++++++++++
 .../tests/stream-error-on-reset.out           |   5 +
 3 files changed, 162 insertions(+), 2 deletions(-)
 create mode 100755 tests/qemu-iotests/tests/stream-error-on-reset
 create mode 100644 tests/qemu-iotests/tests/stream-error-on-reset.out

-- 
2.33.1



Re: [PATCH v3 0/2] block-backend: prevent dangling BDS pointers across aio_poll()
Posted by Kevin Wolf 2 years, 2 months ago
Am 11.01.2022 um 16:36 hat Stefan Hajnoczi geschrieben:
> This series fixes use-after-free bugs when blk->root changes across aio_poll().
> For example, a temporary filter node can be removed by a blockjob when a
> drained section begins. If the caller doesn't hold a ref on the BDS then it
> will have been freed.
> 
> Hanna Reitz (1):
>   iotests/stream-error-on-reset: New test
> 
> Stefan Hajnoczi (1):
>   block-backend: prevent dangling BDS pointers across aio_poll()

Thanks, applied to the block branch.

Kevin