Series comparison

-[Qemu-devel] [PULL for-4.0 0/1] Block patches
+[PULL 0/1] Block patches
-The following changes since commit 3f3bbfc7cef4490c5ed5550766a81e7d18f08db1:
+The following changes since commit 661c2e1ab29cd9c4d268ae3f44712e8d421c0e56:
-  Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2019-03-12' into staging (2019-03-12 21:06:26 +0000)
+  scripts/checkpatch: Fix a typo (2025-03-04 09:30:26 +0800)
 are available in the Git repository at:
-  git://github.com/stefanha/qemu.git tags/block-pull-request
+  https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to f357fcd890a8d6ced6d261338b859a41414561e9:
+for you to fetch changes up to 2ad638a3d160923ef3dbf87c73944e6e44bdc724:
-  file-posix: add drop-cache=on|off option (2019-03-13 10:54:55 +0000)
+  block/qed: fix use-after-free by nullifying timer pointer after free (2025-03-06 10:19:54 +0800)
 ----------------------------------------------------------------
 Pull request
- * Add 'drop-cache=on|off' option to file-posix.c.  The default is on.
+QED need_check_timer use-after-free fix
    Disabling the option fixes a QEMU 3.0.0 performance regression when live
    migrating on the same host with cache.direct=off.
 ----------------------------------------------------------------
-Stefan Hajnoczi (1):
+Denis Rastyogin (1):
-  file-posix: add drop-cache=on|off option
+  block/qed: fix use-after-free by nullifying timer pointer after free
- qapi/block-core.json |  6 ++++++
+ block/qed.c | 1 +
- block/file-posix.c   | 16 ++++++++++++++++
+file changed, 1 insertion(+)
 files changed, 22 insertions(+)
 --
-.20.1
+.48.1

-[Qemu-devel] [PULL for-4.0 1/1] file-posix: add drop-cache=on|off option
+[PULL 1/1] block/qed: fix use-after-free by nullifying timer pointer after free
-Commit dd577a26ff03b6829721b1ffbbf9e7c411b72378 ("block/file-posix:
+From: Denis Rastyogin <gerben@altlinux.org>
 implement bdrv_co_invalidate_cache() on Linux") introduced page cache
 invalidation so that cache.direct=off live migration is safe on Linux.
-The invalidation takes a significant amount of time when the file is
+This error was discovered by fuzzing qemu-img.
 large and present in the page cache.  Normally this is not the case for
 cross-host live migration but it can happen when migrating between QEMU
 processes on the same host.
-On same-host migration we don't need to invalidate pages for correctness
+In the QED block driver, the need_check_timer timer is freed in
-anyway, so an option to skip page cache invalidation is useful.  I
+bdrv_qed_detach_aio_context, but the pointer to the timer is not
-investigated optimizing invalidation and detecting same-host migration,
+set to NULL. This can lead to a use-after-free scenario
-but both are hard to achieve so a user-visible option will suffice.
+in bdrv_qed_drain_begin().
-As a bonus this option means that the cache invalidation feature will
+The need_check_timer pointer is set to NULL after freeing the timer.
-now be detectable by libvirt via QMP schema introspection.
+Which helps catch this condition when checking in bdrv_qed_drain_begin().
-Suggested-by: Neil Skrypuch <neil@tembosocial.com>
+Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852
-Tested-by: Neil Skrypuch <neil@tembosocial.com>
+Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-ID: <20250304083927.37681-1-gerben@altlinux.org>
 Reviewed-by: Eric Blake <eblake@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Message-id: 20190307164941.3322-1-stefanha@redhat.com
 Message-Id: <20190307164941.3322-1-stefanha@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- qapi/block-core.json |  6 ++++++
+ block/qed.c | 1 +
- block/file-posix.c   | 16 ++++++++++++++++
+file changed, 1 insertion(+)
 files changed, 22 insertions(+)
-diff --git a/qapi/block-core.json b/qapi/block-core.json
+diff --git a/block/qed.c b/block/qed.c
 index XXXXXXX..XXXXXXX 100644
---- a/qapi/block-core.json
+--- a/block/qed.c
-+++ b/qapi/block-core.json
++++ b/block/qed.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void bdrv_qed_detach_aio_context(BlockDriverState *bs)
- # @locking:     whether to enable file locking. If set to 'auto', only enable
- #               when Open File Descriptor (OFD) locking API is available
+     qed_cancel_need_check_timer(s);
- #               (default: auto, since 2.10)
+     timer_free(s->need_check_timer);
-+# @drop-cache:  invalidate page cache during live migration.  This prevents
++    s->need_check_timer = NULL;
-+#               stale data on the migration destination with cache.direct=off.
+ }
-+#               Currently only supported on Linux hosts.
-+#               (default: on, since: 4.0)
+ static void bdrv_qed_attach_aio_context(BlockDriverState *bs,
  # @x-check-cache-dropped: whether to check that page cache was dropped on live
  #                         migration.  May cause noticeable delays if the image
  #                         file is large, do not use in production.
@@ -XXX,XX +XXX,XX @@
              '*pr-manager': 'str',
              '*locking': 'OnOffAuto',
              '*aio': 'BlockdevAioOptions',
 +        '*drop-cache': {'type': 'bool',
 +                        'if': 'defined(CONFIG_LINUX)'},
              '*x-check-cache-dropped': 'bool' } }
  ##
 diff --git a/block/file-posix.c b/block/file-posix.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/file-posix.c
 +++ b/block/file-posix.c
@@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState {
      bool page_cache_inconsistent:1;
      bool has_fallocate;
      bool needs_alignment;
 +    bool drop_cache;
      bool check_cache_dropped;
      PRManager *pr_mgr;
@@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState {
  typedef struct BDRVRawReopenState {
      int fd;
      int open_flags;
 +    bool drop_cache;
      bool check_cache_dropped;
  } BDRVRawReopenState;
@@ -XXX,XX +XXX,XX @@ static QemuOptsList raw_runtime_opts = {
              .type = QEMU_OPT_STRING,
              .help = "id of persistent reservation manager object (default: none)",
          },
 +#if defined(__linux__)
 +        {
 +            .name = "drop-cache",
 +            .type = QEMU_OPT_BOOL,
 +            .help = "invalidate page cache during live migration (default: on)",
 +        },
 +#endif
          {
              .name = "x-check-cache-dropped",
              .type = QEMU_OPT_BOOL,
@@ -XXX,XX +XXX,XX @@ static int raw_open_common(BlockDriverState *bs, QDict *options,
          }
      }
 +    s->drop_cache = qemu_opt_get_bool(opts, "drop-cache", true);
      s->check_cache_dropped = qemu_opt_get_bool(opts, "x-check-cache-dropped",
                                                 false);
@@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state,
          goto out;
      }
 +    rs->drop_cache = qemu_opt_get_bool_del(opts, "drop-cache", true);
      rs->check_cache_dropped =
          qemu_opt_get_bool_del(opts, "x-check-cache-dropped", false);
@@ -XXX,XX +XXX,XX @@ static void raw_reopen_commit(BDRVReopenState *state)
      BDRVRawState *s = state->bs->opaque;
      Error *local_err = NULL;
 +    s->drop_cache = rs->drop_cache;
      s->check_cache_dropped = rs->check_cache_dropped;
      s->open_flags = rs->open_flags;
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn raw_co_invalidate_cache(BlockDriverState *bs,
          return;
      }
 +    if (!s->drop_cache) {
 +        return;
 +    }
 +
      if (s->open_flags & O_DIRECT) {
          return; /* No host kernel page cache */
      }
 --
-.20.1
+.48.1

Commit dd577a26ff03b6829721b1ffbbf9e7c411b72378 ("block/file-posix:
implement bdrv_co_invalidate_cache() on Linux") introduced page cache
invalidation so that cache.direct=off live migration is safe on Linux.

The invalidation takes a significant amount of time when the file is
large and present in the page cache.  Normally this is not the case for
cross-host live migration but it can happen when migrating between QEMU
processes on the same host.

On same-host migration we don't need to invalidate pages for correctness
anyway, so an option to skip page cache invalidation is useful.  I
investigated optimizing invalidation and detecting same-host migration,
but both are hard to achieve so a user-visible option will suffice.

As a bonus this option means that the cache invalidation feature will
now be detectable by libvirt via QMP schema introspection.

Suggested-by: Neil Skrypuch <neil@tembosocial.com>
Tested-by: Neil Skrypuch <neil@tembosocial.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20190307164941.3322-1-stefanha@redhat.com
Message-Id: <20190307164941.3322-1-stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 qapi/block-core.json |  6 ++++++
 block/file-posix.c   | 16 ++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/qapi/block-core.json b/qapi/block-core.json
index XXXXXXX..XXXXXXX 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -XXX,XX +XXX,XX @@
 # @locking:     whether to enable file locking. If set to 'auto', only enable
 #               when Open File Descriptor (OFD) locking API is available
 #               (default: auto, since 2.10)
+# @drop-cache:  invalidate page cache during live migration.  This prevents
+#               stale data on the migration destination with cache.direct=off.
+#               Currently only supported on Linux hosts.
+#               (default: on, since: 4.0)
 # @x-check-cache-dropped: whether to check that page cache was dropped on live
 #                         migration.  May cause noticeable delays if the image
 #                         file is large, do not use in production.
@@ -XXX,XX +XXX,XX @@
             '*pr-manager': 'str',
             '*locking': 'OnOffAuto',
             '*aio': 'BlockdevAioOptions',
+	    '*drop-cache': {'type': 'bool',
+	                    'if': 'defined(CONFIG_LINUX)'},
             '*x-check-cache-dropped': 'bool' } }
 
 ##
diff --git a/block/file-posix.c b/block/file-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState {
     bool page_cache_inconsistent:1;
     bool has_fallocate;
     bool needs_alignment;
+    bool drop_cache;
     bool check_cache_dropped;
 
     PRManager *pr_mgr;
@@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState {
 typedef struct BDRVRawReopenState {
     int fd;
     int open_flags;
+    bool drop_cache;
     bool check_cache_dropped;
 } BDRVRawReopenState;
 
@@ -XXX,XX +XXX,XX @@ static QemuOptsList raw_runtime_opts = {
             .type = QEMU_OPT_STRING,
             .help = "id of persistent reservation manager object (default: none)",
         },
+#if defined(__linux__)
+        {
+            .name = "drop-cache",
+            .type = QEMU_OPT_BOOL,
+            .help = "invalidate page cache during live migration (default: on)",
+        },
+#endif
         {
             .name = "x-check-cache-dropped",
             .type = QEMU_OPT_BOOL,
@@ -XXX,XX +XXX,XX @@ static int raw_open_common(BlockDriverState *bs, QDict *options,
         }
     }
 
+    s->drop_cache = qemu_opt_get_bool(opts, "drop-cache", true);
     s->check_cache_dropped = qemu_opt_get_bool(opts, "x-check-cache-dropped",
                                                false);
 
@@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state,
         goto out;
     }
 
+    rs->drop_cache = qemu_opt_get_bool_del(opts, "drop-cache", true);
     rs->check_cache_dropped =
         qemu_opt_get_bool_del(opts, "x-check-cache-dropped", false);
 
@@ -XXX,XX +XXX,XX @@ static void raw_reopen_commit(BDRVReopenState *state)
     BDRVRawState *s = state->bs->opaque;
     Error *local_err = NULL;
 
+    s->drop_cache = rs->drop_cache;
     s->check_cache_dropped = rs->check_cache_dropped;
     s->open_flags = rs->open_flags;
 
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn raw_co_invalidate_cache(BlockDriverState *bs,
         return;
     }
 
+    if (!s->drop_cache) {
+        return;
+    }
+
     if (s->open_flags & O_DIRECT) {
         return; /* No host kernel page cache */
     }
-- 
2.20.1

From: Denis Rastyogin <gerben@altlinux.org>

This error was discovered by fuzzing qemu-img.

In the QED block driver, the need_check_timer timer is freed in
bdrv_qed_detach_aio_context, but the pointer to the timer is not
set to NULL. This can lead to a use-after-free scenario
in bdrv_qed_drain_begin().

The need_check_timer pointer is set to NULL after freeing the timer.
Which helps catch this condition when checking in bdrv_qed_drain_begin().

Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Message-ID: <20250304083927.37681-1-gerben@altlinux.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/qed.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/qed.c b/block/qed.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -XXX,XX +XXX,XX @@ static void bdrv_qed_detach_aio_context(BlockDriverState *bs)
 
     qed_cancel_need_check_timer(s);
     timer_free(s->need_check_timer);
+    s->need_check_timer = NULL;
 }
 
 static void bdrv_qed_attach_aio_context(BlockDriverState *bs,
-- 
2.48.1