Backing may be zero after failed bdrv_append in mirror_start_job,
which leads to SIGSEGV.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
---

similar SIGSEGV.
looks like (I guess by code, don't have full back-trace because of
coroutine switch on bdrv_flush):
mirror_start_job,
  bdrv_append failed, backing is not set 
  bdrv_unref
    bdrv_delete
      bdrv_close
        bdrv_flush
         ...
         bdrv_mirror_top_flush 
           Segmentation fault on
           return bdrv_co_flush(bs->backing->bs);
           as bs->backing = 0

 block/mirror.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/mirror.c b/block/mirror.c
index 6f5cb9f26c..f17c0d8726 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1056,6 +1056,10 @@ static int coroutine_fn bdrv_mirror_top_pwritev(BlockDriverState *bs,
 
 static int coroutine_fn bdrv_mirror_top_flush(BlockDriverState *bs)
 {
+    if (bs->backing == NULL) {
+        /* we can be here after failed bdrv_append in mirror_start_job */
+        return 0;
+    }
     return bdrv_co_flush(bs->backing->bs);
 }
 
-- 
2.11.1

On 2017-09-29 17:22, Vladimir Sementsov-Ogievskiy wrote:
> Backing may be zero after failed bdrv_append in mirror_start_job,
> which leads to SIGSEGV.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> ---
> 
> similar SIGSEGV.
> looks like (I guess by code, don't have full back-trace because of
> coroutine switch on bdrv_flush):
> mirror_start_job,
>   bdrv_append failed, backing is not set 
>   bdrv_unref
>     bdrv_delete
>       bdrv_close
>         bdrv_flush
>          ...
>          bdrv_mirror_top_flush 
>            Segmentation fault on
>            return bdrv_co_flush(bs->backing->bs);
>            as bs->backing = 0
> 
>  block/mirror.c | 4 ++++
>  1 file changed, 4 insertions(+)

Thanks, applied to my block branch:

https://github.com/XanClic/qemu/commits/block

Max