qemu/block
Stefan Hajnoczi 7103895123 block-backend: avoid bdrv_unregister_buf() NULL pointer deref
bdrv_*() APIs expect a valid BlockDriverState. Calling them with bs=NULL
leads to undefined behavior.

Jonathan Cameron reported this following NULL pointer dereference when a
VM with a virtio-blk device and a memory-backend-file object is
terminated:
1. qemu_cleanup() closes all drives, setting blk->root to NULL
2. qemu_cleanup() calls user_creatable_cleanup(), which results in a RAM
   block notifier callback because the memory-backend-file is destroyed.
3. blk_unregister_buf() is called by virtio-blk's BlockRamRegistrar
   notifier callback and undefined behavior occurs.

Fixes: baf422684d ("virtio-blk: use BDRV_REQ_REGISTERED_BUF optimization hint")
Co-authored-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221121211923.1993171-1-stefanha@redhat.com>
2022-11-29 18:15:26 -05:00
..
export block: remove bdrv_try_set_aio_context and replace it with bdrv_try_change_aio_context 2022-10-27 20:14:11 +02:00
monitor monitor: add missing coroutine_fn annotation 2022-10-27 20:14:11 +02:00
accounting.c block: add missed block_acct_setup with new block device init procedure 2022-09-30 18:42:34 +02:00
aio_task.c block/aio_task: assert max_busy_tasks is greater than 0 2021-10-05 18:56:41 +02:00
amend.c block/amend: Keep strong reference to BDS 2022-03-04 18:18:26 +01:00
backup.c backup: remove incorrect coroutine_fn annotation 2022-10-27 20:14:11 +02:00
blkdebug.c blkdebug: add missing coroutine_fn annotation for indirect-called functions 2022-10-27 20:14:11 +02:00
blkio.c block/blkio: Set BlockDriver::has_variable_length to false 2022-11-10 14:52:36 +01:00
blklogwrites.c block/blklogwrites: don't care to remove bs->file child on failure 2022-10-27 20:14:11 +02:00
blkreplay.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
blkverify.c Block layer patches 2022-10-30 15:15:12 -04:00
block-backend.c block-backend: avoid bdrv_unregister_buf() NULL pointer deref 2022-11-29 18:15:26 -05:00
block-copy.c block/block-copy: block_copy(): add timeout_ns parameter 2022-06-29 10:56:12 +03:00
block-gen.h
block-ram-registrar.c block: add BlockRAMRegistrar 2022-10-26 14:56:42 -04:00
bochs.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
cloop.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
commit.c commit: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
copy-before-write.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
copy-before-write.h block/copy-before-write.h: global state API + assertions 2022-03-04 18:18:25 +01:00
copy-on-read.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
copy-on-read.h Clean up ill-advised or unusual header guards 2022-05-11 16:50:01 +02:00
coroutines.h block: Remove remaining unused symbols in coroutines.h 2022-07-12 12:14:56 +02:00
create.c block_int-common.h: assertions in the callers of BlockDriver function pointers 2022-03-04 18:18:25 +01:00
crypto.c Block layer patches 2022-10-30 15:15:12 -04:00
crypto.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
curl.c curl: add missing coroutine_fn annotations 2022-10-07 12:11:41 +02:00
dirty-bitmap.c block: simplify handling of try to merge different sized bitmaps 2022-06-24 17:07:06 +02:00
dmg-bz2.c
dmg-lzfse.c block: Remove unused include 2020-11-09 15:44:21 +01:00
dmg.c dmg: warn when opening dmg images containing blocks of unknown type 2022-11-06 09:48:50 +01:00
dmg.h
file-posix.c block: add BDRV_REQ_REGISTERED_BUF request flag 2022-10-26 14:56:42 -04:00
file-win32.c block: use int64_t instead of uint64_t in driver write handlers 2021-09-29 13:46:31 -05:00
filter-compress.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
gluster.c block: add BDRV_REQ_REGISTERED_BUF request flag 2022-10-26 14:56:42 -04:00
io_uring.c block/io_uring: revert "Use io_uring_register_ring_fd() to skip fd operations" 2022-10-27 20:14:11 +02:00
io.c block: Start/end drain on correct AioContext 2022-11-10 14:58:43 +01:00
iscsi-opts.c modules: add block module annotations 2021-07-09 18:20:27 +02:00
iscsi.c iscsi: add missing coroutine_fn annotations 2022-10-07 12:11:40 +02:00
linux-aio.c misc: fix commonly doubled up words 2022-08-01 11:58:02 +02:00
meson.build block: add BlockRAMRegistrar 2022-10-26 14:56:42 -04:00
mirror.c block/mirror: Fix NULL s->job in active writes 2022-11-10 13:33:55 +01:00
nbd.c block: add BDRV_REQ_REGISTERED_BUF request flag 2022-10-26 14:56:42 -04:00
nfs.c block/nfs: Fix 32-bit Windows build 2022-10-27 20:14:11 +02:00
null.c block: use int64_t instead of uint64_t in driver write handlers 2021-09-29 13:46:31 -05:00
nvme.c block: return errors from bdrv_register_buf() 2022-10-26 14:56:42 -04:00
parallels-ext.c block: Change bdrv_{pread,pwrite,pwrite_sync}() param order 2022-07-12 12:14:55 +02:00
parallels.c Block layer patches 2022-10-30 15:15:12 -04:00
parallels.h parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
preallocate.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
progress_meter.c progressmeter: protect with a mutex 2021-06-25 14:24:24 +03:00
qapi-sysemu.c block: add 'force' parameter to 'blockdev-change-medium' command 2022-04-25 12:02:36 +02:00
qapi.c block: use GDateTime for formatting timestamp when dumping snapshot info 2021-06-14 13:28:50 +01:00
qcow2-bitmap.c qcow2: manually add more coroutine_fn annotations 2022-10-27 20:14:11 +02:00
qcow2-cache.c block: Change bdrv_{pread,pwrite,pwrite_sync}() param order 2022-07-12 12:14:55 +02:00
qcow2-cluster.c qcow2: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
qcow2-refcount.c qcow2: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
qcow2-snapshot.c qcow2: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
qcow2-threads.c
qcow2.c qcow2: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
qcow2.h qcow2: manually add more coroutine_fn annotations 2022-10-27 20:14:11 +02:00
qcow.c Block layer patches 2022-10-30 15:15:12 -04:00
qed-check.c
qed-cluster.c
qed-l2-cache.c osdep: Move memalign-related functions to their own header 2022-03-07 13:16:49 +00:00
qed-table.c qed: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
qed.c Block layer patches 2022-10-30 15:15:12 -04:00
qed.h
quorum.c quorum: Remove unnecessary forward declaration 2022-10-07 12:11:41 +02:00
raw-format.c Block layer patches 2022-10-30 15:15:12 -04:00
rbd.c block/rbd: report a better error when namespace does not exist 2022-06-24 17:07:06 +02:00
replication.c Block layer patches 2022-10-30 15:15:12 -04:00
reqlist.c block/reqlist: add reqlist_wait_all() 2022-03-07 09:33:30 +01:00
snapshot-access.c block: Manipulate bs->file / bs->backing pointers in .attach/.detach 2022-10-27 20:14:11 +02:00
snapshot.c block/snapshot: drop indirection around bdrv_snapshot_fallback_ptr 2022-10-27 20:14:11 +02:00
ssh.c Block layer patches 2022-10-30 15:15:12 -04:00
stream.c block/stream: Drain subtree around graph change 2022-03-29 16:30:55 +02:00
throttle-groups.c block/throttle-groups: throttle_group_co_io_limits_intercept(): 64bit bytes 2021-02-03 08:14:00 -06:00
throttle.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
trace-events nbd: trace long NBD operations 2022-06-29 10:57:02 +03:00
trace.h
vdi.c vdi: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
vhdx-endian.c
vhdx-log.c block: Change bdrv_{pread,pwrite,pwrite_sync}() param order 2022-07-12 12:14:55 +02:00
vhdx.c Block layer patches 2022-10-30 15:15:12 -04:00
vhdx.h
vmdk.c vmdk: switch to *_co_* functions 2022-10-27 20:14:11 +02:00
vpc.c block: introduce bdrv_open_file_child() helper 2022-10-27 20:14:11 +02:00
vvfat.c block/vvfat: Unify the mkdir() call 2022-10-31 20:37:58 +00:00
win32-aio.c osdep: Move memalign-related functions to their own header 2022-03-07 13:16:49 +00:00
write-threshold.c write-threshold: deal with includes 2021-05-14 16:14:10 +02:00