You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Stefan Hajnoczi 7103895123 block-backend: avoid bdrv_unregister_buf() NULL pointer deref ... bdrv_*() APIs expect a valid BlockDriverState. Calling them with bs=NULL leads to undefined behavior. Jonathan Cameron reported this following NULL pointer dereference when a VM with a virtio-blk device and a memory-backend-file object is terminated: 1. qemu_cleanup() closes all drives, setting blk->root to NULL 2. qemu_cleanup() calls user_creatable_cleanup(), which results in a RAM block notifier callback because the memory-backend-file is destroyed. 3. blk_unregister_buf() is called by virtio-blk's BlockRamRegistrar notifier callback and undefined behavior occurs. Fixes: baf422684d ("virtio-blk: use BDRV_REQ_REGISTERED_BUF optimization hint") Co-authored-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20221121211923.1993171-1-stefanha@redhat.com>		2 years ago
..
export	block: remove bdrv_try_set_aio_context and replace it with bdrv_try_change_aio_context	2 years ago
monitor	monitor: add missing coroutine_fn annotation	2 years ago
accounting.c	block: add missed block_acct_setup with new block device init procedure	2 years ago
aio_task.c	block/aio_task: assert `max_busy_tasks` is greater than 0	3 years ago
amend.c	block/amend: Keep strong reference to BDS	3 years ago
backup.c	backup: remove incorrect coroutine_fn annotation	2 years ago
blkdebug.c	blkdebug: add missing coroutine_fn annotation for indirect-called functions	2 years ago
blkio.c	block/blkio: Set BlockDriver::has_variable_length to false	2 years ago
blklogwrites.c	block/blklogwrites: don't care to remove bs->file child on failure	2 years ago
blkreplay.c	block: introduce bdrv_open_file_child() helper	2 years ago
blkverify.c	Block layer patches	2 years ago
block-backend.c	block-backend: avoid bdrv_unregister_buf() NULL pointer deref	2 years ago
block-copy.c	block/block-copy: block_copy(): add timeout_ns parameter	3 years ago
block-gen.h	scripts: add block-coroutine-wrapper.py	4 years ago
block-ram-registrar.c	block: add BlockRAMRegistrar	2 years ago
bochs.c	block: introduce bdrv_open_file_child() helper	2 years ago
cloop.c	block: introduce bdrv_open_file_child() helper	2 years ago
commit.c	commit: switch to *_co_* functions	2 years ago
copy-before-write.c	block: introduce bdrv_open_file_child() helper	2 years ago
copy-before-write.h	block/copy-before-write.h: global state API + assertions	3 years ago
copy-on-read.c	block: introduce bdrv_open_file_child() helper	2 years ago
copy-on-read.h	Clean up ill-advised or unusual header guards	3 years ago
coroutines.h	block: Remove remaining unused symbols in coroutines.h	3 years ago
create.c	block_int-common.h: assertions in the callers of BlockDriver function pointers	3 years ago
crypto.c	Block layer patches	2 years ago
crypto.h	nomaintainer: Fix Lesser GPL version number	4 years ago
curl.c	curl: add missing coroutine_fn annotations	2 years ago
dirty-bitmap.c	block: simplify handling of try to merge different sized bitmaps	3 years ago
dmg-bz2.c	Include qemu-common.h exactly where needed	6 years ago
dmg-lzfse.c	block: Remove unused include	4 years ago
dmg.c	dmg: warn when opening dmg images containing blocks of unknown type	2 years ago
dmg.h	Include qemu-common.h exactly where needed	6 years ago
file-posix.c	block: add BDRV_REQ_REGISTERED_BUF request flag	2 years ago
file-win32.c	block: use int64_t instead of uint64_t in driver write handlers	3 years ago
filter-compress.c	block: introduce bdrv_open_file_child() helper	2 years ago
gluster.c	block: add BDRV_REQ_REGISTERED_BUF request flag	2 years ago
io.c	block: Start/end drain on correct AioContext	2 years ago
io_uring.c	block/io_uring: revert "Use io_uring_register_ring_fd() to skip fd operations"	2 years ago
iscsi-opts.c	modules: add block module annotations	4 years ago
iscsi.c	iscsi: add missing coroutine_fn annotations	2 years ago
linux-aio.c	misc: fix commonly doubled up words	3 years ago
meson.build	block: add BlockRAMRegistrar	2 years ago
mirror.c	block/mirror: Fix NULL s->job in active writes	2 years ago
nbd.c	block: add BDRV_REQ_REGISTERED_BUF request flag	2 years ago
nfs.c	block/nfs: Fix 32-bit Windows build	2 years ago
null.c	block: use int64_t instead of uint64_t in driver write handlers	3 years ago
nvme.c	block: return errors from bdrv_register_buf()	2 years ago
parallels-ext.c	block: Change bdrv_{pread,pwrite,pwrite_sync}() param order	3 years ago
parallels.c	Block layer patches	2 years ago
parallels.h	parallels: support bitmap extension for read-only mode	4 years ago
preallocate.c	block: introduce bdrv_open_file_child() helper	2 years ago
progress_meter.c	progressmeter: protect with a mutex	4 years ago
qapi-sysemu.c	block: add 'force' parameter to 'blockdev-change-medium' command	3 years ago
qapi.c	block: use GDateTime for formatting timestamp when dumping snapshot info	4 years ago
qcow.c	Block layer patches	2 years ago
qcow2-bitmap.c	qcow2: manually add more coroutine_fn annotations	2 years ago
qcow2-cache.c	block: Change bdrv_{pread,pwrite,pwrite_sync}() param order	3 years ago
qcow2-cluster.c	qcow2: switch to *_co_* functions	2 years ago
qcow2-refcount.c	qcow2: switch to *_co_* functions	2 years ago
qcow2-snapshot.c	qcow2: switch to *_co_* functions	2 years ago
qcow2-threads.c	qcow2: add zstd cluster compression	5 years ago
qcow2.c	qcow2: switch to *_co_* functions	2 years ago
qcow2.h	qcow2: manually add more coroutine_fn annotations	2 years ago
qed-check.c	block/qed: add missed coroutine_fn markers	6 years ago
qed-cluster.c	qed: protect table cache with CoMutex	8 years ago
qed-l2-cache.c	osdep: Move memalign-related functions to their own header	3 years ago
qed-table.c	qed: switch to *_co_* functions	2 years ago
qed.c	Block layer patches	2 years ago
qed.h	qed: Simplify backing reads	5 years ago
quorum.c	quorum: Remove unnecessary forward declaration	2 years ago
raw-format.c	Block layer patches	2 years ago
rbd.c	block/rbd: report a better error when namespace does not exist	3 years ago
replication.c	Block layer patches	2 years ago
reqlist.c	block/reqlist: add reqlist_wait_all()	3 years ago
snapshot-access.c	block: Manipulate bs->file / bs->backing pointers in .attach/.detach	2 years ago
snapshot.c	block/snapshot: drop indirection around bdrv_snapshot_fallback_ptr	2 years ago
ssh.c	Block layer patches	2 years ago
stream.c	block/stream: Drain subtree around graph change	3 years ago
throttle-groups.c	block/throttle-groups: throttle_group_co_io_limits_intercept(): 64bit bytes	4 years ago
throttle.c	block: introduce bdrv_open_file_child() helper	2 years ago
trace-events	nbd: trace long NBD operations	3 years ago
trace.h	trace: switch position of headers to what Meson requires	5 years ago
vdi.c	vdi: switch to *_co_* functions	2 years ago
vhdx-endian.c	Include qemu-common.h exactly where needed	6 years ago
vhdx-log.c	block: Change bdrv_{pread,pwrite,pwrite_sync}() param order	3 years ago
vhdx.c	Block layer patches	2 years ago
vhdx.h	block/vhdx: Use IEC binary prefixes for size constants	6 years ago
vmdk.c	vmdk: switch to *_co_* functions	2 years ago
vpc.c	block: introduce bdrv_open_file_child() helper	2 years ago
vvfat.c	block/vvfat: Unify the mkdir() call	2 years ago
win32-aio.c	osdep: Move memalign-related functions to their own header	3 years ago
write-threshold.c	write-threshold: deal with includes	4 years ago