From nobody Mon Feb 9 11:31:05 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1618243117; cv=none; d=zohomail.com; s=zohoarc; b=FYx4EkQwZbUQxarGSPSIITPMqO/WwNoJMhGuoZEkmlP8GEz2le+o1SO9hMorcSukNJlGgCuYrO5ZjfoOL4YQVVdSNwaRmzb/kN47JHQRUPGCogUT+1iHf4Lt5UUZV2w+YBShcMByUgAsbVdmlueLRyUeHqktUKDnBQJlls513V4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618243117; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=EPO+4NtrhMtRzb1YdOw4Sb+4nRlGUxdvY5GC1NGAc/w=; b=LEm7cmgK8imCR7Kmh+EQOyEJuNuGrGIX3vYLFuXAL/R8VzymppJVDtm0uQWhPXRbsSxDVqLLo9K++1oHDCXqCR8KAnIkoN3lBmwTAaw66NDDJwVQWY1ccGh6yMUAFlsuGC5jCZFd7pzAa8w7DwEH7fXbhcpY4mFQ8fAFZESm0T8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1618243117840497.04193442665496; Mon, 12 Apr 2021 08:58:37 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-320-585K-WZZOoiQwjM25IpKAQ-1; Mon, 12 Apr 2021 11:58:33 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CCAC9101D081; Mon, 12 Apr 2021 15:57:54 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B099E5C5FD; Mon, 12 Apr 2021 15:57:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8942A18095C9; Mon, 12 Apr 2021 15:57:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 13CFvnAH002307 for ; Mon, 12 Apr 2021 11:57:49 -0400 Received: by smtp.corp.redhat.com (Postfix) id BB134608DB; Mon, 12 Apr 2021 15:57:49 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.33]) by smtp.corp.redhat.com (Postfix) with ESMTP id 27C1D6A04E for ; Mon, 12 Apr 2021 15:57:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618243116; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=EPO+4NtrhMtRzb1YdOw4Sb+4nRlGUxdvY5GC1NGAc/w=; b=TRvfDCTNaPkV/IQMBc0PHPlfWgLZ/yXB3sDS+V2u+AdvCNcG/rrCsJsI9KI5SfzXDOu/OH GM7Qvi9TP76cCusBWaWE2Gn2xA3zZauWb8b62IT8Lr0rgDHj3YyAKxcN6wa4H21Q56DZGg uoU/F6PK70sUxlt7uRBdCLKnD8/onv8= X-MC-Unique: 585K-WZZOoiQwjM25IpKAQ-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 1/2] qemuBlockJobProcessEventCompletedPull: Avoid dangling pointer after blockpull Date: Mon, 12 Apr 2021 17:57:45 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" When doing a full block pull job (base =3D=3D NULL) and the config XML contains a compatible disk, the completer function would leave a dangling pointer in 'cfgdisk->src->backingStore' as cfgdisk->src would be set to the value of 'cfgbase' which was always set to 'cfgdisk->src->backingStore'. This is wrong though since for the live definition XML we set the respective counterpart to 'job->data.pull.base' which is NULL in the above scenario. This leads to a invalid pointer read when saving the config XML and may end up in a crash. Resolve it by setting 'cfgbase' only when 'job->data.pull.base' is non-NULL. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1946918 Signed-off-by: Peter Krempa Reviewed-by: Pavel Hrdina --- src/qemu/qemu_blockjob.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index 66268a365a..d708fd18fd 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -1005,10 +1005,7 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverP= tr driver, if (!job->disk) return; - if ((cfgdisk =3D qemuBlockJobGetConfigDisk(vm, job->disk, job->data.pu= ll.base))) - cfgbase =3D cfgdisk->src->backingStore; - - if (!cfgdisk) + if (!(cfgdisk =3D qemuBlockJobGetConfigDisk(vm, job->disk, job->data.p= ull.base))) qemuBlockJobClearConfigChain(vm, job->disk); qemuBlockJobProcessEventCompletedPullBitmaps(vm, job, asyncJob); @@ -1018,6 +1015,8 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPt= r driver, return; if (job->data.pull.base) { + if (cfgdisk) + cfgbase =3D cfgdisk->src->backingStore; for (n =3D job->disk->src->backingStore; n && n !=3D job->data.pul= l.base; n =3D n->backingStore) { /* find the image on top of 'base' */ --=20 2.30.2 From nobody Mon Feb 9 11:31:05 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1618243114; cv=none; d=zohomail.com; s=zohoarc; b=mALkwecjByR9xiHbiulT28d51LhZ81Wdh9A4xf2b+WK3B0chOCfLigBMB/om6e0tlPR+rAMtdloEnjlPvS6KNVX5c0ZpufsRqJ0NSDbms+/MEdrEIwKg604TgbTGMS5L7eCYSuAu/GHETlXYOpeA30djnXB6KRi0B2aD5YtuZKk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1618243114; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ruh3X4Xmfnye0Tii+6xmtj3g1P3kwwp0oG2i9YUC5bA=; b=CHQO29DZdhvxvmAM3P0lW+BwxlEL2NkW96qhuA5ma79S2MCarzu7JbxQqPR86uuoKveYp51CfsXyeeBzNSJZAN3xFtF7pwCDFhT6pvGVmqjLyuKF63GlSTplvdikt+6zwPdfIVXc1fXZeKqnXCPc6Nj0kHMsghyMif9/4TyT/TM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1618243114109164.54424302476207; Mon, 12 Apr 2021 08:58:34 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-601-XAsyGs_iN7akw6foDqBksA-1; Mon, 12 Apr 2021 11:58:30 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0FF2783DD36; Mon, 12 Apr 2021 15:57:55 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DDAE55C1BB; Mon, 12 Apr 2021 15:57:54 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E2DD144A5A; Mon, 12 Apr 2021 15:57:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 13CFvo0L002312 for ; Mon, 12 Apr 2021 11:57:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id C8F72608DB; Mon, 12 Apr 2021 15:57:50 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.33]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3768260854 for ; Mon, 12 Apr 2021 15:57:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618243113; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ruh3X4Xmfnye0Tii+6xmtj3g1P3kwwp0oG2i9YUC5bA=; b=bWEHpC3dplx9/yJtrCjkUm40XAKz6VHzIQ/ve5ePkka00kclirdbyn3vK7oQTbIyvBTw1k LTX0dUsrP5gW7TapyySHxCoOu2mzcJ6s6dsyY1wB3UBfZ1NoY2iep5j2vmc19Y/8Ga+HVT 19eM+la1gD3TWyF057+xXJyNqwnn/jM= X-MC-Unique: XAsyGs_iN7akw6foDqBksA-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 2/2] qemuBlockJobProcessEventCompletedPull: Add backingStore terminators if base is NULL Date: Mon, 12 Apr 2021 17:57:46 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" When doing a blockpull with NULL base the full contents of the disk are pulled into the topmost image which then becomes fullu self-contained. qemuBlockJobProcessEventCompletedPull doesn't install the backing chain terminators though, although it's guaranteed that there will be no backing chain behind disk->src. Add the terminators for completness and for disabling backing chain detection on further boots. Signed-off-by: Peter Krempa Reviewed-by: Pavel Hrdina --- src/qemu/qemu_blockjob.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index d708fd18fd..d2a769136d 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -992,6 +992,7 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverPtr = driver, qemuBlockJobDataPtr job, qemuDomainAsyncJob asyncJob) { + virStorageSource *base =3D NULL; virStorageSourcePtr baseparent =3D NULL; virDomainDiskDefPtr cfgdisk =3D NULL; virStorageSourcePtr cfgbase =3D NULL; @@ -1015,8 +1016,11 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriverP= tr driver, return; if (job->data.pull.base) { + base =3D job->data.pull.base; + if (cfgdisk) cfgbase =3D cfgdisk->src->backingStore; + for (n =3D job->disk->src->backingStore; n && n !=3D job->data.pul= l.base; n =3D n->backingStore) { /* find the image on top of 'base' */ @@ -1027,10 +1031,17 @@ qemuBlockJobProcessEventCompletedPull(virQEMUDriver= Ptr driver, baseparent =3D n; } + } else { + /* create terminators for the chain; since we are pulling everythi= ng + * into the top image the chain is automatically considered termin= ated */ + base =3D virStorageSourceNew(); + + if (cfgdisk) + cfgbase =3D virStorageSourceNew(); } tmp =3D job->disk->src->backingStore; - job->disk->src->backingStore =3D job->data.pull.base; + job->disk->src->backingStore =3D base; if (baseparent) baseparent->backingStore =3D NULL; qemuBlockJobEventProcessConcludedRemoveChain(driver, vm, asyncJob, tmp= ); --=20 2.30.2