From nobody Wed Nov 27 14:40:13 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1548323951170975.8041271974332;
 Thu, 24 Jan 2019 01:59:11 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id D4D37CDF90;
	Thu, 24 Jan 2019 09:59:08 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9D06E607C6;
	Thu, 24 Jan 2019 09:59:08 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 590D518033A4;
	Thu, 24 Jan 2019 09:59:08 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0O9x1dY014913 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 24 Jan 2019 04:59:01 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 03689608F3; Thu, 24 Jan 2019 09:59:01 +0000 (UTC)
Received: from angien.brq.redhat.com (unknown [10.43.2.229])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 7DA5917DCC
	for <libvir-list@redhat.com>; Thu, 24 Jan 2019 09:59:00 +0000 (UTC)
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Date: Thu, 24 Jan 2019 10:58:51 +0100
Message-Id: 
 <1cd0d33bfdc8b92db0bd72b3656c9fbf48811b9c.1548323820.git.pkrempa@redhat.com>
In-Reply-To: <cover.1548323820.git.pkrempa@redhat.com>
References: <cover.1548323820.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 5/5] qemu: Don't double-free disk->mirror if block
	commit initialization fails
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]);
 Thu, 24 Jan 2019 09:59:10 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

disk->mirror would not be cleared while the local pointer was freed in
qemuDomainBlockCommit if qemuDomainObjExitMonitor or qemuBlockJobDiskNew
would return a failure.

Since block job handling is executed in the separate handler which needs
a qemu job, we don't need to pre-set the mirror state prior to starting
the job. Similarly the block copy job does not do that.

Move the setting of the data after starting the job so that we avoid
this problem.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_driver.c | 32 +++++++++++++-------------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index d8f667e9aa..5dd18954b9 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -18182,6 +18182,8 @@ qemuDomainBlockCommit(virDomainPtr dom,
                            disk->dst);
             goto endjob;
         }
+
+        jobtype =3D QEMU_BLOCKJOB_TYPE_ACTIVE_COMMIT;
     } else if (flags & VIR_DOMAIN_BLOCK_COMMIT_ACTIVE) {
         virReportError(VIR_ERR_INVALID_ARG,
                        _("active commit requested but '%s' is not active"),
@@ -18254,22 +18256,16 @@ qemuDomainBlockCommit(virDomainPtr dom,
          qemuDomainDiskChainElementPrepare(driver, vm, top_parent, false, =
false) < 0))
         goto endjob;

+    if (!(job =3D qemuBlockJobDiskNew(disk, jobtype, device)))
+        goto endjob;
+
+    disk->mirrorState =3D VIR_DOMAIN_DISK_MIRROR_STATE_NONE;
+
     /* Start the commit operation.  Pass the user's original spelling,
      * if any, through to qemu, since qemu may behave differently
      * depending on whether the input was specified as relative or
      * absolute (that is, our absolute top_canon may do the wrong
-     * thing if the user specified a relative name).  Be prepared for
-     * a ready event to occur while locks are dropped.  */
-    if (mirror) {
-        disk->mirrorState =3D VIR_DOMAIN_DISK_MIRROR_STATE_NONE;
-        disk->mirror =3D mirror;
-        disk->mirrorJob =3D VIR_DOMAIN_BLOCK_JOB_TYPE_ACTIVE_COMMIT;
-        jobtype =3D QEMU_BLOCKJOB_TYPE_ACTIVE_COMMIT;
-    }
-
-    if (!(job =3D qemuBlockJobDiskNew(disk, jobtype, device)))
-        goto endjob;
-
+     * thing if the user specified a relative name).  */
     qemuDomainObjEnterMonitor(driver, vm);
     basePath =3D qemuMonitorDiskNameLookup(priv->mon, device, disk->src,
                                          baseSource);
@@ -18279,17 +18275,15 @@ qemuDomainBlockCommit(virDomainPtr dom,
         ret =3D qemuMonitorBlockCommit(priv->mon, device,
                                      topPath, basePath, backingPath,
                                      speed);
-    if (qemuDomainObjExitMonitor(driver, vm) < 0) {
+    if (qemuDomainObjExitMonitor(driver, vm) < 0 || ret < 0) {
         ret =3D -1;
         goto endjob;
     }

-    if (ret =3D=3D 0) {
-        qemuBlockJobStarted(job);
-        mirror =3D NULL;
-    } else {
-        disk->mirror =3D NULL;
-        disk->mirrorJob =3D VIR_DOMAIN_BLOCK_JOB_TYPE_UNKNOWN;
+    qemuBlockJobStarted(job);
+    if (mirror) {
+        VIR_STEAL_PTR(disk->mirror, mirror);
+        disk->mirrorJob =3D VIR_DOMAIN_BLOCK_JOB_TYPE_ACTIVE_COMMIT;
     }

     if (virDomainSaveStatus(driver->xmlopt, cfg->stateDir, vm, driver->cap=
s) < 0)
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list