From nobody Tue Apr 30 11:02:21 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1491242024314983.3131516604894; Mon, 3 Apr 2017 10:53:44 -0700 (PDT) Received: from localhost ([::1]:60545 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cv6Ag-0003a1-S0 for importer@patchew.org; Mon, 03 Apr 2017 13:53:42 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36168) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cv693-0002YH-2B for qemu-devel@nongnu.org; Mon, 03 Apr 2017 13:52:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cv692-00049d-8M for qemu-devel@nongnu.org; Mon, 03 Apr 2017 13:52:01 -0400 Received: from mx1.redhat.com ([209.132.183.28]:40096) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cv68z-00048R-SC; Mon, 03 Apr 2017 13:51:58 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C0EA583F45; Mon, 3 Apr 2017 17:51:56 +0000 (UTC) Received: from localhost (ovpn-204-55.brq.redhat.com [10.40.204.55]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2C06DA0A26; Mon, 3 Apr 2017 17:51:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C0EA583F45 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=mreitz@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com C0EA583F45 From: Max Reitz To: qemu-block@nongnu.org Date: Mon, 3 Apr 2017 19:51:49 +0200 Message-Id: <20170403175150.15253-2-mreitz@redhat.com> In-Reply-To: <20170403175150.15253-1-mreitz@redhat.com> References: <20170403175150.15253-1-mreitz@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Mon, 03 Apr 2017 17:51:56 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-2.9 1/2] block/mirror: Fix use-after-free X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-devel@nongnu.org, Max Reitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If @bs does not have any parents, the only reference to @mirror_top_bs will be held by the BlockJob object after the bdrv_unref() following block_job_create(). However, if block_job_create() fails, this reference will not exist and @mirror_top_bs will have been deleted when we goto fail. The issue comes back at all later entries to the fail label: We delete the BlockJob object before rolling back our changes to the node graph. This means that we will delete @mirror_top_bs in the process. All in all, whenever @bs does not have any parents and we go down the fail path we will dereference @mirror_top_bs after it has been deleted. Fix this by invoking bdrv_unref() only when block_job_create() was successful and by bdrv_ref()'ing @mirror_top_bs in the fail path before deleting the BlockJob object. Finally, bdrv_unref() it at the end of the fail path after we actually no longer need it. Signed-off-by: Max Reitz Reviewed-by: John Snow Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- block/mirror.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/block/mirror.c b/block/mirror.c index 9e2fecc15e..46ecd38ef0 100644 --- a/block/mirror.c +++ b/block/mirror.c @@ -1150,7 +1150,7 @@ static void mirror_start_job(const char *job_id, Bloc= kDriverState *bs, mirror_top_bs->total_sectors =3D bs->total_sectors; =20 /* bdrv_append takes ownership of the mirror_top_bs reference, need to= keep - * it alive until block_job_create() even if bs has no parent. */ + * it alive until block_job_create() succeeds even if bs has no parent= . */ bdrv_ref(mirror_top_bs); bdrv_drained_begin(bs); bdrv_append(mirror_top_bs, bs, &local_err); @@ -1168,10 +1168,12 @@ static void mirror_start_job(const char *job_id, Bl= ockDriverState *bs, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE_UNCHANG= ED | BLK_PERM_WRITE | BLK_PERM_GRAPH_MOD, speed, creation_flags, cb, opaque, errp); - bdrv_unref(mirror_top_bs); if (!s) { goto fail; } + /* The block job now has a reference to this node */ + bdrv_unref(mirror_top_bs); + s->source =3D bs; s->mirror_top_bs =3D mirror_top_bs; =20 @@ -1242,6 +1244,10 @@ static void mirror_start_job(const char *job_id, Blo= ckDriverState *bs, =20 fail: if (s) { + /* Make sure this BDS does not go away until we have completed the= graph + * changes below */ + bdrv_ref(mirror_top_bs); + g_free(s->replaces); blk_unref(s->target); block_job_unref(&s->common); @@ -1250,6 +1256,8 @@ fail: bdrv_child_try_set_perm(mirror_top_bs->backing, 0, BLK_PERM_ALL, &error_abort); bdrv_replace_node(mirror_top_bs, backing_bs(mirror_top_bs), &error_abo= rt); + + bdrv_unref(mirror_top_bs); } =20 void mirror_start(const char *job_id, BlockDriverState *bs, --=20 2.12.1 From nobody Tue Apr 30 11:02:21 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1491242024229772.2467560327473; Mon, 3 Apr 2017 10:53:44 -0700 (PDT) Received: from localhost ([::1]:60544 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cv6Ag-0003Zw-Pm for importer@patchew.org; Mon, 03 Apr 2017 13:53:42 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36201) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cv695-0002c8-MC for qemu-devel@nongnu.org; Mon, 03 Apr 2017 13:52:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cv694-0004Bp-S9 for qemu-devel@nongnu.org; Mon, 03 Apr 2017 13:52:03 -0400 Received: from mx1.redhat.com ([209.132.183.28]:48616) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cv692-00049J-7T; Mon, 03 Apr 2017 13:52:00 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2E01D61D13; Mon, 3 Apr 2017 17:51:59 +0000 (UTC) Received: from localhost (ovpn-204-55.brq.redhat.com [10.40.204.55]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B3E3518102; Mon, 3 Apr 2017 17:51:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 2E01D61D13 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=mreitz@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 2E01D61D13 From: Max Reitz To: qemu-block@nongnu.org Date: Mon, 3 Apr 2017 19:51:50 +0200 Message-Id: <20170403175150.15253-3-mreitz@redhat.com> In-Reply-To: <20170403175150.15253-1-mreitz@redhat.com> References: <20170403175150.15253-1-mreitz@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Mon, 03 Apr 2017 17:51:59 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-2.9 2/2] iotests: Add mirror tests for orphaned source X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-devel@nongnu.org, Max Reitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Max Reitz Reviewed-by: Eric Blake Reviewed-by: John Snow --- tests/qemu-iotests/041 | 46 +++++++++++++++++++++++++++++++++++++++= ++++ tests/qemu-iotests/041.out | 4 ++-- tests/qemu-iotests/iotests.py | 15 ++++++++++++++ 3 files changed, 63 insertions(+), 2 deletions(-) diff --git a/tests/qemu-iotests/041 b/tests/qemu-iotests/041 index bc6cf782fe..2f54986434 100755 --- a/tests/qemu-iotests/041 +++ b/tests/qemu-iotests/041 @@ -966,5 +966,51 @@ class TestRepairQuorum(iotests.QMPTestCase): # to check that this file is really driven by quorum self.vm.shutdown() =20 +# Test mirroring with a source that does not have any parents (not even a +# BlockBackend) +class TestOrphanedSource(iotests.QMPTestCase): + def setUp(self): + blk0 =3D { 'node-name': 'src', + 'driver': 'null-co' } + + blk1 =3D { 'node-name': 'dest', + 'driver': 'null-co' } + + blk2 =3D { 'node-name': 'dest-ro', + 'driver': 'null-co', + 'read-only': 'on' } + + self.vm =3D iotests.VM() + self.vm.add_blockdev(self.qmp_to_opts(blk0)) + self.vm.add_blockdev(self.qmp_to_opts(blk1)) + self.vm.add_blockdev(self.qmp_to_opts(blk2)) + self.vm.launch() + + def tearDown(self): + self.vm.shutdown() + + def test_no_job_id(self): + self.assert_no_active_block_jobs() + + result =3D self.vm.qmp('blockdev-mirror', device=3D'src', sync=3D'= full', + target=3D'dest') + self.assert_qmp(result, 'error/class', 'GenericError') + + def test_success(self): + self.assert_no_active_block_jobs() + + result =3D self.vm.qmp('blockdev-mirror', job_id=3D'job', device= =3D'src', + sync=3D'full', target=3D'dest') + self.assert_qmp(result, 'return', {}) + + self.complete_and_wait('job') + + def test_failing_permissions(self): + self.assert_no_active_block_jobs() + + result =3D self.vm.qmp('blockdev-mirror', device=3D'src', sync=3D'= full', + target=3D'dest-ro') + self.assert_qmp(result, 'error/class', 'GenericError') + if __name__ =3D=3D '__main__': iotests.main(supported_fmts=3D['qcow2', 'qed']) diff --git a/tests/qemu-iotests/041.out b/tests/qemu-iotests/041.out index b67d0504a6..e30fd3b05b 100644 --- a/tests/qemu-iotests/041.out +++ b/tests/qemu-iotests/041.out @@ -1,5 +1,5 @@ -..........................................................................= .. +..........................................................................= ..... ---------------------------------------------------------------------- -Ran 76 tests +Ran 79 tests =20 OK diff --git a/tests/qemu-iotests/iotests.py b/tests/qemu-iotests/iotests.py index bec8eb4b8d..abcf3c10e2 100644 --- a/tests/qemu-iotests/iotests.py +++ b/tests/qemu-iotests/iotests.py @@ -177,6 +177,14 @@ class VM(qtest.QEMUQtestMachine): self._num_drives +=3D 1 return self =20 + def add_blockdev(self, opts): + self._args.append('-blockdev') + if isinstance(opts, str): + self._args.append(opts) + else: + self._args.append(','.join(opts)) + return self + def pause_drive(self, drive, event=3DNone): '''Pause drive r/w operations''' if not event: @@ -235,6 +243,13 @@ class QMPTestCase(unittest.TestCase): output[basestr[:-1]] =3D obj # Strip trailing '.' return output =20 + def qmp_to_opts(self, obj): + obj =3D self.flatten_qmp_object(obj) + output_list =3D list() + for key in obj: + output_list +=3D [key + '=3D' + obj[key]] + return ','.join(output_list) + def assert_qmp_absent(self, d, path): try: result =3D self.dictpath(d, path) --=20 2.12.1