diff options
author | Kevin Wolf <kwolf@redhat.com> | 2023-05-03 16:01:42 +0200 |
---|---|---|
committer | Michael Tokarev <mjt@tls.msk.ru> | 2023-05-10 20:50:38 +0300 |
commit | 2197a94cb461c3bfff9d183ae79d4c99964163c4 (patch) | |
tree | 63840fa4a5fb647346e48d1f9d39410e2516f11f /page-vary-common.c | |
parent | 8322e5300fb5fa7fbbe27b1882263159f24c5ae9 (diff) |
block: Fix use after free in blockdev_mark_auto_del()
job_cancel_locked() drops the job list lock temporarily and it may call
aio_poll(). We must assume that the list has changed after this call.
Also, with unlucky timing, it can end up freeing the job during
job_completed_txn_abort_locked(), making the job pointer invalid, too.
For both reasons, we can't just continue at block_job_next_locked(job).
Instead, start at the head of the list again after job_cancel_locked()
and skip those jobs that we already cancelled (or that are completing
anyway).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20230503140142.474404-1-kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit e2626874a32602d4e52971c786ef5ffb4430629d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'page-vary-common.c')
0 files changed, 0 insertions, 0 deletions