From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LndRD-0003Kj-C9
	for qemu-devel@nongnu.org; Sat, 28 Mar 2009 14:39:23 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LndR8-0003E0-PJ
	for qemu-devel@nongnu.org; Sat, 28 Mar 2009 14:39:22 -0400
Received: from [199.232.76.173] (port=33742 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LndR8-0003Db-Gg
	for qemu-devel@nongnu.org; Sat, 28 Mar 2009 14:39:18 -0400
Received: from verein.lst.de ([213.95.11.210]:43548)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_3DES_EDE_CBC_SHA1:24) (Exim 4.60)
	(envelope-from <hch@lst.de>) id 1LndR7-0007l9-T4
	for qemu-devel@nongnu.org; Sat, 28 Mar 2009 14:39:18 -0400
Received: from verein.lst.de (localhost [127.0.0.1])
	by verein.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id
	n2SIdGIF025974
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <qemu-devel@nongnu.org>; Sat, 28 Mar 2009 19:39:16 +0100
Received: (from hch@localhost)
	by verein.lst.de (8.12.3/8.12.3/Debian-6.6) id n2SIdGws025972
	for qemu-devel@nongnu.org; Sat, 28 Mar 2009 19:39:16 +0100
Date: Sat, 28 Mar 2009 19:39:16 +0100
From: Christoph Hellwig <hch@lst.de>
Message-ID: <20090328183916.GA25875@lst.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [Qemu-devel] [PATCH] check for bs->drv in bdrv_flush
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

All the bdrv_ helpers should check for bs->drv being zero as that means
there is no backend image open.  bdrv_flush fails to perform that check
and can thus cause NULL pointer dereferences.

Found using qemu-io.


Signed-off-by: Christoph Hellwig <hch@lst.de>

Index: qemu/block.c
===================================================================
--- qemu.orig/block.c	2009-03-19 21:48:12.180978074 +0100
+++ qemu/block.c	2009-03-19 21:48:53.228977807 +0100
@@ -979,6 +979,8 @@ const char *bdrv_get_device_name(BlockDr
 
 void bdrv_flush(BlockDriverState *bs)
 {
+    if (!bs->drv)
+        return;
     if (bs->drv->bdrv_flush)
         bs->drv->bdrv_flush(bs);
     if (bs->backing_hd)