From nobody Tue Apr 30 11:03:40 2024
Delivered-To: importer@patchew.org
Received-SPF: temperror (zoho.com: Error in retrieving data from DNS)
 client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=temperror (zoho.com: Error in retrieving data from DNS)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 150660028120847.675942696377206;
 Thu, 28 Sep 2017 05:04:41 -0700 (PDT)
Received: from localhost ([::1]:58929 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1dxXYB-0007ZN-G2
	for importer@patchew.org; Thu, 28 Sep 2017 08:04:19 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43315)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vsementsov@virtuozzo.com>) id 1dxXXA-0007Fk-P3
	for qemu-devel@nongnu.org; Thu, 28 Sep 2017 08:03:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <vsementsov@virtuozzo.com>) id 1dxXX7-0006Yt-MZ
	for qemu-devel@nongnu.org; Thu, 28 Sep 2017 08:03:16 -0400
Received: from mailhub.sw.ru ([195.214.232.25]:35458 helo=relay.sw.ru)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <vsementsov@virtuozzo.com>)
	id 1dxXX7-0006Y8-6Q; Thu, 28 Sep 2017 08:03:13 -0400
Received: from kvm.sw.ru (msk-vpn.virtuozzo.com [195.214.232.6])
	by relay.sw.ru (8.13.4/8.13.4) with ESMTP id v8SC30sL001291;
	Thu, 28 Sep 2017 15:03:01 +0300 (MSK)
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
To: qemu-devel@nongnu.org, qemu-block@nongnu.org
Date: Thu, 28 Sep 2017 15:03:00 +0300
Message-Id: <20170928120300.58164-1-vsementsov@virtuozzo.com>
X-Mailer: git-send-email 2.11.1
X-detected-operating-system: by eggs.gnu.org: OpenBSD 3.x [fuzzy]
X-Received-From: 195.214.232.25
Subject: [Qemu-devel] [PATCH] block/mirror: check backing in
 bdrv_mirror_top_refresh_filename
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: kwolf@redhat.com, jcody@redhat.com, qemu-stable@nongnu.org,
	mreitz@redhat.com
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_6  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

Backing may be zero after failed bdrv_attach_child in
bdrv_set_backing_hd, which leads to SIGSEGV.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---

Hi all.

We have faced into this SIGSEGV because of image locking:
trying to call qemu-img commit on locked image leads to the following:

    Program terminated with signal 11, Segmentation fault.
    #0  bdrv_mirror_top_refresh_filename (bs=3D0x5616df9a7400, opts=3D0x561=
6df268400)
        at block/mirror.c:1203
    1203        bdrv_refresh_filename(bs->backing->bs);
   =20
    (gdb) bt
    #0  bdrv_mirror_top_refresh_filename (bs=3D0x5616df9a7400, opts=3D0x561=
6df268400)
        at block/mirror.c:1203
    #1  0x00005616ddc3d35f in bdrv_refresh_filename (bs=3D0x5616df9a7400) a=
t block.c:4739
    #2  0x00005616ddc3d672 in bdrv_set_backing_hd (bs=3Dbs@entry=3D0x5616df=
9a7400,=20
        backing_hd=3Dbacking_hd@entry=3D0x5616df25c000, errp=3Derrp@entry=
=3D0x7ffff7896a20)
        at block.c:2035
    #3  0x00005616ddc3dee3 in bdrv_append (bs_new=3Dbs_new@entry=3D0x5616df=
9a7400,=20
        bs_top=3Dbs_top@entry=3D0x5616df25c000, errp=3Derrp@entry=3D0x7ffff=
7896ad8)
        at block.c:3168
    #4  0x00005616ddc84e5f in mirror_start_job (
        job_id=3Djob_id@entry=3D0x5616ddd16a31 "commit", bs=3Dbs@entry=3D0x=
5616df25c000,=20
        creation_flags=3Dcreation_flags@entry=3D0, target=3Dtarget@entry=3D=
0x5616df262800,=20
        replaces=3Dreplaces@entry=3D0x0, speed=3Dspeed@entry=3D0, granulari=
ty=3D65536,=20
        granularity@entry=3D0, buf_size=3D16777216, buf_size@entry=3D0,=20
        backing_mode=3Dbacking_mode@entry=3DMIRROR_LEAVE_BACKING_CHAIN,=20
        on_source_error=3Don_source_error@entry=3DBLOCKDEV_ON_ERROR_REPORT,=20
        on_target_error=3Don_target_error@entry=3DBLOCKDEV_ON_ERROR_REPORT,=20
        unmap=3Dunmap@entry=3Dtrue, cb=3Dcb@entry=3D0x5616ddc35470 <common_=
block_job_cb>,=20
        opaque=3Dopaque@entry=3D0x7ffff7896c80, errp=3Derrp@entry=3D0x7ffff=
7896bd0,=20
        driver=3Ddriver@entry=3D0x5616ddf8d100 <commit_active_job_driver>,=20
        is_none_mode=3Dis_none_mode@entry=3Dfalse, base=3Dbase@entry=3D0x56=
16df262800,=20
        auto_complete=3Dauto_complete@entry=3Dfalse,=20
        filter_node_name=3Dfilter_node_name@entry=3D0x0) at block/mirror.c:=
1314
    #5  0x00005616ddc87580 in commit_active_start (
        job_id=3Djob_id@entry=3D0x5616ddd16a31 "commit", bs=3Dbs@entry=3D0x=
5616df25c000,=20
        base=3Dbase@entry=3D0x5616df262800, creation_flags=3Dcreation_flags=
@entry=3D0,=20
        speed=3Dspeed@entry=3D0, on_error=3Don_error@entry=3DBLOCKDEV_ON_ER=
ROR_REPORT,=20
        filter_node_name=3Dfilter_node_name@entry=3D0x0,=20
        cb=3Dcb@entry=3D0x5616ddc35470 <common_block_job_cb>,=20
        opaque=3Dopaque@entry=3D0x7ffff7896c80, errp=3Derrp@entry=3D0x7ffff=
7896c78,=20
        auto_complete=3Dauto_complete@entry=3Dfalse) at block/mirror.c:1463
    #6  0x00005616ddc33a68 in img_commit (argc=3D<optimized out>, argv=3D<o=
ptimized out>)
        at qemu-img.c:1013
    #7  0x00005616ddc2fa79 in main (argc=3D4, argv=3D0x7ffff7896e00) at qem=
u-img.c:4548


    (gdb) p bs->backing
    $2 =3D (BdrvChild *) 0x0
    (gdb) fr 2
    #2  0x00005616ddc3d672 in bdrv_set_backing_hd (bs=3Dbs@entry=3D0x5616df=
9a7400,=20
        backing_hd=3Dbacking_hd@entry=3D0x5616df25c000, errp=3Derrp@entry=
=3D0x7ffff7896a20)
        at block.c:2035
    2035        bdrv_refresh_filename(bs);
    (gdb) p *errp
    $4 =3D (Error *) 0x5616df1c2660
    (gdb) p **errp
    $5 =3D {msg =3D 0x5616df2554e0 "Failed to get \"write\" lock",=20
      err_class =3D ERROR_CLASS_GENERIC_ERROR,=20
      src =3D 0x5616ddd267fe "block/file-posix.c",=20
      func =3D 0x5616ddd26fe0 <__func__.27999> "raw_check_lock_bytes", line=
 =3D 682,=20
      hint =3D 0x5616df1fe520}


 block/mirror.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/block/mirror.c b/block/mirror.c
index 6f5cb9f26c..351b80ca2c 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1073,6 +1073,11 @@ static int coroutine_fn bdrv_mirror_top_pdiscard(Blo=
ckDriverState *bs,
=20
 static void bdrv_mirror_top_refresh_filename(BlockDriverState *bs, QDict *=
opts)
 {
+    if (bs->backing =3D=3D NULL) {
+        /* we can be here after failed bdrv_attach_child in
+         * bdrv_set_backing_hd */
+        return;
+    }
     bdrv_refresh_filename(bs->backing->bs);
     pstrcpy(bs->exact_filename, sizeof(bs->exact_filename),
             bs->backing->bs->filename);
--=20
2.11.1