On Tue, Mar 04, 2025 at 11:39:10AM +0300, ger...@altlinux.org wrote: > From: Denis Rastyogin <ger...@altlinux.org> > > This error was discovered by fuzzing qemu-img. > > In the QED block driver, the need_check_timer timer is freed in > bdrv_qed_detach_aio_context, but the pointer to the timer is not > set to NULL. This can lead to a use-after-free scenario > in bdrv_qed_drain_begin(). > > The need_check_timer pointer is set to NULL after freeing the timer. > Which helps catch this condition when checking in bdrv_qed_drain_begin(). > > Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852 > Signed-off-by: Denis Rastyogin <ger...@altlinux.org> > --- > block/qed.c | 1 + > 1 file changed, 1 insertion(+)
Thanks, applied to my block tree: https://gitlab.com/stefanha/qemu/commits/block Stefan
signature.asc
Description: PGP signature
