In qcow2_update_snapshot_refcount -> qcow2_process_discards() -> bdrv_discard()
may free the Qcow2DiscardRegion which is referenced by "next" pointer in
qcow2_process_discards() now, in next iteration, d = next, so g_free(d)
will double-free this Qcow2DiscardRegion.
qcow2_snapshot_delete
|- qcow2_update_snapshot_refcount
|-- qcow2_process_discards
|--- bdrv_discard
|---- aio_poll
|----- aio_dispatch
|------ bdrv_co_io_em_complete
|------- qemu_coroutine_enter(co->coroutine, NULL); <=== coroutine entry is bdrv_co_do_rw
|--- g_free(d) <== free first Qcow2DiscardRegion is okay
|--- d = next; <== this set is done in QTAILQ_FOREACH_SAFE() macro.
|--- g_free(d); <== double-free will happen if during previous iteration, bdrv_discard had free this object.
bdrv_co_do_rw
|- bdrv_co_do_writev
|-- bdrv_co_do_pwritev
|--- bdrv_aligned_pwritev
|---- qcow2_co_writev
|----- qcow2_alloc_cluster_link_l2
|------ qcow2_free_any_clusters
|------- qcow2_free_clusters
|-------- update_refcount
|--------- qcow2_process_discards
|---------- g_free(d) <== In next iteration, this Qcow2DiscardRegion will be double-free.
Signed-off-by: Zhang Haoyu <zhanghy@xxxxxxxxxxx>
Signed-off-by: Fu Xuewei <fxw@xxxxxxxxxxx>
---
block/qcow2-refcount.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 2bcaaf9..3b759a3 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -462,9 +462,9 @@ fail_block:
void qcow2_process_discards(BlockDriverState *bs, int ret)
{
BDRVQcowState *s = bs->opaque;
- Qcow2DiscardRegion *d, *next;
+ Qcow2DiscardRegion *d;
- QTAILQ_FOREACH_SAFE(d, &s->discards, next, next) {
+ while ((d = QTAILQ_FIRST(&s->discards)) != NULL) {
QTAILQ_REMOVE(&s->discards, d, next);
/* Discard is optional, ignore the return value */
--
1.7.12.4
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
