qemu/block
Vladimir Sementsov-Ogievskiy 0267101af6 block/nbd: fix possible use after free of s->connect_thread
If on nbd_close() we detach the thread (in
nbd_co_establish_connection_cancel() thr->state becomes
CONNECT_THREAD_RUNNING_DETACHED), after that point we should not use
s->connect_thread (which is set to NULL), as running thread may free it
at any time.

Still nbd_co_establish_connection() does exactly this: it saves
s->connect_thread to local variable (just for better code style) and
use it even after yield point, when thread may be already detached.

Fix that. Also check thr to be non-NULL on
nbd_co_establish_connection() start for safety.

After this patch "case CONNECT_THREAD_RUNNING_DETACHED" becomes
impossible in the second switch in nbd_co_establish_connection().
Still, don't add extra abort() just before the release. If it somehow
possible to reach this "case:" it won't hurt. Anyway, good refactoring
of all this reconnect mess will come soon.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20210406155114.1057355-1-vsementsov@virtuozzo.com>
Reviewed-by: Roman Kagan <rvkagan@yandex-team.ru>
Signed-off-by: Max Reitz <mreitz@redhat.com>
2021-04-13 15:35:12 +02:00
..
export block/export: disable VHOST_USER_PROTOCOL_F_INFLIGHT_SHMFD for now 2021-03-19 10:15:06 +01:00
monitor block: Remove monitor command block_passwd 2021-03-23 22:31:56 +01:00
accounting.c block/accounting: Use lock guard macros 2020-12-11 17:52:39 +01:00
aio_task.c
amend.c block/amend: Check whether the node exists 2020-07-27 12:37:25 +02:00
backup-top.c backup-top: Refuse I/O in inactive state 2021-03-08 14:55:18 +01:00
backup-top.h qapi: backup: add perf.use-copy-range parameter 2021-01-26 14:36:37 +01:00
backup.c backup: Remove nodes from job in .clean() 2021-03-08 14:55:18 +01:00
blkdebug.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
blklogwrites.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
blkreplay.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
blkverify.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
block-backend.c sysemu: Let VMChangeStateHandler take boolean 'running' argument 2021-03-09 23:13:57 +01:00
block-copy.c block/block-copy: drop unused argument of block_copy() 2021-01-26 14:36:37 +01:00
block-gen.h scripts: add block-coroutine-wrapper.py 2020-10-05 10:59:06 +01:00
bochs.c block: Use bdrv_default_perms() 2020-05-18 19:05:25 +02:00
cloop.c block: Use bdrv_default_perms() 2020-05-18 19:05:25 +02:00
commit.c block: use return status of bdrv_append() 2021-02-12 15:39:44 -06:00
copy-on-read.c copy-on-read: skip non-guest reads if no copy needed 2021-01-26 14:36:37 +01:00
copy-on-read.h copy-on-read: add filter drop function 2021-01-26 11:26:54 +01:00
coroutines.h block: Return depth level during bdrv_is_allocated_above 2020-10-30 15:21:23 -05:00
create.c
crypto.c block: add bdrv_co_delete_file_noerr 2021-02-15 15:10:14 +01:00
crypto.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
curl.c curl: Disconnect sockets from CURLState 2021-03-19 10:15:06 +01:00
dirty-bitmap.c block: remove dirty bitmaps 'status' field 2021-03-18 09:22:55 +00:00
dmg-bz2.c
dmg-lzfse.c block: Remove unused include 2020-11-09 15:44:21 +01:00
dmg.c block: Fix some code style problems, "foo* bar" should be "foo *bar" 2020-11-09 18:42:47 +01:00
dmg.h
file-posix.c block: remove support for using "file" driver with block/char devices 2021-03-18 09:22:55 +00:00
file-win32.c block/file: switch to use qemu_open/qemu_create for improved errors 2020-09-16 10:33:48 +01:00
filter-compress.c block: Inline bdrv_co_block_status_from_*() 2020-09-07 12:31:31 +02:00
gluster.c qapi: More complex uses of QAPI_LIST_APPEND 2021-01-28 08:08:45 +01:00
io_uring.c io_uring: do not use pointer after free 2020-11-17 12:26:48 +01:00
io.c block: add new BlockDriver handler: bdrv_cancel_in_flight 2021-02-12 09:45:18 -06:00
iscsi-opts.c
iscsi.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
linux-aio.c
meson.build parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
mirror.c mirror: Do not enter a paused job on completion 2021-04-09 18:00:29 +02:00
nbd.c block/nbd: fix possible use after free of s->connect_thread 2021-04-13 15:35:12 +02:00
nfs.c block/nfs: fix int overflow in nfs_client_open_qdict 2020-12-18 11:48:39 +01:00
null.c block/null: Implement bdrv_get_allocated_file_size 2020-09-07 12:31:31 +02:00
nvme.c block/nvme: Trace NVMe spec version supported by the controller 2021-02-02 17:05:38 +01:00
parallels-ext.c parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
parallels.c parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
parallels.h parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
preallocate.c block: introduce preallocate filter 2020-12-18 12:35:55 +01:00
qapi-sysemu.c
qapi.c block: remove 'dirty-bitmaps' field from 'BlockInfo' struct 2021-03-18 09:22:55 +00:00
qcow2-bitmap.c nbd patches for 2021-03-09 2021-03-11 13:57:08 +00:00
qcow2-cache.c
qcow2-cluster.c qcow2: Fix corruption on write_zeroes with MAY_UNMAP 2020-11-24 11:29:41 +01:00
qcow2-refcount.c qcow2: Make qcow2_free_any_clusters() free only one cluster 2020-09-15 11:05:13 +02:00
qcow2-snapshot.c migration: introduce icount field for snapshots 2020-10-06 08:34:49 +02:00
qcow2-threads.c
qcow2.c qcow2: Force preallocation with data-file-raw 2021-03-30 13:02:10 +02:00
qcow2.h block/qcow2-bitmap: return status from qcow2_store_persistent_dirty_bitmaps 2021-03-08 16:03:21 -06:00
qcow.c block/qcow: remove runtime opts 2020-09-15 11:05:13 +02:00
qed-check.c
qed-cluster.c
qed-l2-cache.c
qed-table.c
qed.c block/qed: bdrv_qed_do_open: deal with errp 2021-03-08 16:03:32 -06:00
qed.h qed: Simplify backing reads 2020-07-06 10:34:14 +02:00
quorum.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
raw-format.c block/raw-format: implement .bdrv_cancel_in_flight handler 2021-02-12 09:45:18 -06:00
rbd.c block/rbd: fix memory leak in qemu_rbd_co_create_opts() 2021-04-09 18:00:29 +02:00
replication.c qapi: backup: add max-chunk and max-workers to x-perf struct 2021-01-26 14:36:37 +01:00
sheepdog.c block: deprecate the sheepdog block driver 2020-10-15 16:06:28 +02:00
snapshot.c block: rename and alter bdrv_all_find_snapshot semantics 2021-02-08 11:19:51 +00:00
ssh.c qapi: Smooth another visitor error checking pattern 2020-07-10 15:18:08 +02:00
stream.c stream: Don't crash when node permission is denied 2021-03-19 10:15:06 +01:00
throttle-groups.c block/throttle-groups: throttle_group_co_io_limits_intercept(): 64bit bytes 2021-02-03 08:14:00 -06:00
throttle.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
trace-events block/io: use int64_t bytes in copy_range 2021-02-03 08:17:12 -06:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vdi.c block/vdi: Don't assume that blocks are larger than VdiHeader 2021-03-31 10:44:21 +01:00
vhdx-endian.c
vhdx-log.c
vhdx.c block/vhdx: Support vhdx image only with 512 bytes logical sector size 2020-09-15 11:05:13 +02:00
vhdx.h
vmdk.c qapi: Use QAPI_LIST_APPEND in trivial cases 2021-01-28 08:08:45 +01:00
vpc.c block/vpc: Use sizeof() instead of HEADER_SIZE for footer size 2020-12-18 12:43:30 +01:00
vvfat.c block/vvfat: Fix bad printf format specifiers 2020-11-03 16:24:56 +01:00
win32-aio.c
write-threshold.c