Commit fc9aefc8 authored by Vladimir Sementsov-Ogievskiy's avatar Vladimir Sementsov-Ogievskiy Committed by Max Reitz
Browse files

block/block-copy: fix use-after-free of task pointer 



Obviously, we should g_free the task after trace point and offset
update.

Reported-by: Coverity (CID 1428756)
Fixes: 4ce5dd3e
Signed-off-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200507183800.22626-1-vsementsov@virtuozzo.com>
Reviewed-by: default avatarEric Blake <eblake@redhat.com>
Signed-off-by: default avatarMax Reitz <mreitz@redhat.com>
parent dd488fc1

block/block-copy.c

+1 −1
Original line number Diff line number Diff line
@@ -591,13 +591,13 @@ static int coroutine_fn block_copy_dirty_clusters(BlockCopyState *s, 
        }

        if (s->skip_unallocated && !(ret & BDRV_BLOCK_ALLOCATED)) {

            block_copy_task_end(task, 0);

            g_free(task);

            progress_set_remaining(s->progress,

                                   bdrv_get_dirty_count(s->copy_bitmap) +

                                   s->in_flight_bytes);

            trace_block_copy_skip_range(s, task->offset, task->bytes);

            offset = task_end(task);

            bytes = end - offset;

            g_free(task);

            continue;

        }

        task->zeroes = ret & BDRV_BLOCK_ZERO;