From nobody Sun Sep 28 16:37:07 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1757972526; cv=none; d=zohomail.com; s=zohoarc; b=maeanb5TSrm5OidCuCM9P7nw8A/dbdJZSiuskhlnu6Lq4oEK2/Ok+N+ziZ3ldZiJlxrwNBzDqIeWrpB5Ne/B4aEjV2WaqBM9UcQGi6++mKil6Ih4SkPcxvpowuIjxIL85qn9q8RwnlF61/nDubTIFxT37kPrgp0ZWksKV1OvBNI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1757972526; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=rUIVuy2a/lhH0mEARc9myMlbMo22sAGdHQJMCoW4+Lw=; b=Q/lU+cDvata/Blmiv94AXacglrE3r9hPUjkAUQMNWijcKRCgVywwzATPvhcsWUhd5kYzqY1TR4a3CHpvYchthNytlBRu2fNsvjP5aoMSKdYNYL7g/fJnXvTpgdM1JdPtwz2E2i33Uznb5msdkup7FExshvLu7IMYtKtbLEMSzaM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1757972526322247.66648558502823; Mon, 15 Sep 2025 14:42:06 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uyGvk-0000NA-3z; Mon, 15 Sep 2025 17:40:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uyGvf-0000MV-GJ for qemu-devel@nongnu.org; Mon, 15 Sep 2025 17:40:08 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uyGvG-0000q5-VZ for qemu-devel@nongnu.org; Mon, 15 Sep 2025 17:40:06 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-613-n21xfq4GOJ-YFbebyFm5Hw-1; Mon, 15 Sep 2025 17:39:34 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 43B811953945; Mon, 15 Sep 2025 21:39:32 +0000 (UTC) Received: from green.redhat.com (unknown [10.2.16.73]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8D798180035E; Mon, 15 Sep 2025 21:39:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1757972377; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rUIVuy2a/lhH0mEARc9myMlbMo22sAGdHQJMCoW4+Lw=; b=N5HQh8J4DsRiqsbi7bn0wbcj0fMvf7fwTGGRTM5+Hk4YOHGV9H6hpcw+UyioBE/wkVJB83 2NP9H5rogN6M5UQav0wVmKOv5Vcied7o5C7OeyrWTxIROYzOzWdSQF9MQjSBXUArORaoy2 bgIjkdy0pI5uFWO6mQff4a0hN0jm2M0= X-MC-Unique: n21xfq4GOJ-YFbebyFm5Hw-1 X-Mimecast-MFC-AGG-ID: n21xfq4GOJ-YFbebyFm5Hw_1757972373 From: Eric Blake To: qemu-devel@nongnu.org Cc: Kevin Wolf , Hanna Reitz , Stefan Hajnoczi , "Denis V. Lunev" , Stefan Weil , Jeff Cody , Fam Zheng , qemu-block@nongnu.org (open list:Block layer core) Subject: [PATCH v3 1/2] block: Allow drivers to control protocol prefix at creation Date: Mon, 15 Sep 2025 16:37:26 -0500 Message-ID: <20250915213919.3121401-5-eblake@redhat.com> In-Reply-To: <20250915213919.3121401-4-eblake@redhat.com> References: <20250915213919.3121401-4-eblake@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.035, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1757972528842116600 Content-Type: text/plain; charset="utf-8" This patch is pure refactoring: instead of hard-coding permission to use a protocol prefix when creating an image, the drivers can now pass in a parameter, comparable to what they could already do for opening a pre-existing image. This patch is purely mechanical (all drivers pass in true for now), but it will enable the next patch to cater to drivers that want to differ in behavior for the primary image vs. any secondary images that are opened at the same time as creating the primary image. Signed-off-by: Eric Blake --- include/block/block-global-state.h | 3 ++- block.c | 4 ++-- block/crypto.c | 2 +- block/parallels.c | 2 +- block/qcow.c | 2 +- block/qcow2.c | 4 ++-- block/qed.c | 2 +- block/raw-format.c | 2 +- block/vdi.c | 2 +- block/vhdx.c | 2 +- block/vmdk.c | 2 +- block/vpc.c | 2 +- 12 files changed, 15 insertions(+), 14 deletions(-) diff --git a/include/block/block-global-state.h b/include/block/block-globa= l-state.h index 62da83c6165..479ca2858e1 100644 --- a/include/block/block-global-state.h +++ b/include/block/block-global-state.h @@ -65,7 +65,8 @@ int co_wrapper bdrv_create(BlockDriver *drv, const char *= filename, QemuOpts *opts, Error **errp); int coroutine_fn GRAPH_UNLOCKED -bdrv_co_create_file(const char *filename, QemuOpts *opts, Error **errp); +bdrv_co_create_file(const char *filename, QemuOpts *opts, + bool allow_protocol_prefix, Error **errp); BlockDriverState *bdrv_new(void); int bdrv_append(BlockDriverState *bs_new, BlockDriverState *bs_top, diff --git a/block.c b/block.c index 8848e9a7ed6..8171fad07f4 100644 --- a/block.c +++ b/block.c @@ -693,7 +693,7 @@ out: } int coroutine_fn bdrv_co_create_file(const char *filename, QemuOpts *opts, - Error **errp) + bool allow_protocol_prefix, Error **e= rrp) { QemuOpts *protocol_opts; BlockDriver *drv; @@ -702,7 +702,7 @@ int coroutine_fn bdrv_co_create_file(const char *filena= me, QemuOpts *opts, GLOBAL_STATE_CODE(); - drv =3D bdrv_find_protocol(filename, true, errp); + drv =3D bdrv_find_protocol(filename, allow_protocol_prefix, errp); if (drv =3D=3D NULL) { return -ENOENT; } diff --git a/block/crypto.c b/block/crypto.c index d4226cc68a4..5116bb6382c 100644 --- a/block/crypto.c +++ b/block/crypto.c @@ -821,7 +821,7 @@ block_crypto_co_create_opts_luks(BlockDriver *drv, cons= t char *filename, } /* Create protocol layer */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto fail; } diff --git a/block/parallels.c b/block/parallels.c index 3a375e2a8ab..7a90fb5220b 100644 --- a/block/parallels.c +++ b/block/parallels.c @@ -1117,7 +1117,7 @@ parallels_co_create_opts(BlockDriver *drv, const char= *filename, } /* Create and open the file (protocol layer) */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto done; } diff --git a/block/qcow.c b/block/qcow.c index 8a3e7591a92..f7501fa2f03 100644 --- a/block/qcow.c +++ b/block/qcow.c @@ -978,7 +978,7 @@ qcow_co_create_opts(BlockDriver *drv, const char *filen= ame, } /* Create and open the file (protocol layer) */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto fail; } diff --git a/block/qcow2.c b/block/qcow2.c index 4aa9f9e068e..ec72e272143 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -3956,7 +3956,7 @@ qcow2_co_create_opts(BlockDriver *drv, const char *fi= lename, QemuOpts *opts, } /* Create and open the file (protocol layer) */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto finish; } @@ -3971,7 +3971,7 @@ qcow2_co_create_opts(BlockDriver *drv, const char *fi= lename, QemuOpts *opts, /* Create and open an external data file (protocol layer) */ val =3D qdict_get_try_str(qdict, BLOCK_OPT_DATA_FILE); if (val) { - ret =3D bdrv_co_create_file(val, opts, errp); + ret =3D bdrv_co_create_file(val, opts, true, errp); if (ret < 0) { goto finish; } diff --git a/block/qed.c b/block/qed.c index 4a36fb39294..da23a83d623 100644 --- a/block/qed.c +++ b/block/qed.c @@ -788,7 +788,7 @@ bdrv_qed_co_create_opts(BlockDriver *drv, const char *f= ilename, } /* Create and open the file (protocol layer) */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto fail; } diff --git a/block/raw-format.c b/block/raw-format.c index df16ac1ea25..a57c2922d55 100644 --- a/block/raw-format.c +++ b/block/raw-format.c @@ -463,7 +463,7 @@ static int coroutine_fn GRAPH_UNLOCKED raw_co_create_opts(BlockDriver *drv, const char *filename, QemuOpts *opts, Error **errp) { - return bdrv_co_create_file(filename, opts, errp); + return bdrv_co_create_file(filename, opts, true, errp); } static int raw_open(BlockDriverState *bs, QDict *options, int flags, diff --git a/block/vdi.c b/block/vdi.c index 3ddc62a5690..87b874a7ef5 100644 --- a/block/vdi.c +++ b/block/vdi.c @@ -938,7 +938,7 @@ vdi_co_create_opts(BlockDriver *drv, const char *filena= me, qdict =3D qemu_opts_to_qdict_filtered(opts, NULL, &vdi_create_opts, tr= ue); /* Create and open the file (protocol layer) */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto done; } diff --git a/block/vhdx.c b/block/vhdx.c index b2a4b813a0b..c16e4a00c8d 100644 --- a/block/vhdx.c +++ b/block/vhdx.c @@ -2096,7 +2096,7 @@ vhdx_co_create_opts(BlockDriver *drv, const char *fil= ename, } /* Create and open the file (protocol layer) */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto fail; } diff --git a/block/vmdk.c b/block/vmdk.c index 7b98debc2b9..eb3c174eca4 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -2334,7 +2334,7 @@ vmdk_create_extent(const char *filename, int64_t file= size, bool flat, int ret; BlockBackend *blk =3D NULL; - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto exit; } diff --git a/block/vpc.c b/block/vpc.c index 801ff5793f8..07e8ae0309a 100644 --- a/block/vpc.c +++ b/block/vpc.c @@ -1118,7 +1118,7 @@ vpc_co_create_opts(BlockDriver *drv, const char *file= name, } /* Create and open the file (protocol layer) */ - ret =3D bdrv_co_create_file(filename, opts, errp); + ret =3D bdrv_co_create_file(filename, opts, true, errp); if (ret < 0) { goto fail; } --=20 2.51.0 From nobody Sun Sep 28 16:37:07 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1757972526; cv=none; d=zohomail.com; s=zohoarc; b=JHsxlcMgmWUEx1VbQuWOmdUdZl8G/G5lkZNbwT7YG99aQKgQxpwT74YioiRFZNuuQQrF7NTlPg4RLBzr7c9Hs0TGHdZBZkPUudYW42RUcx4UWiWP4MUnRb8lu4tFUQa6EkNtfcMQWYa8q1Qex7fHP70j8Qx6smVCJrk8V/TrJb4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1757972526; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=+3/JMGmKU5SrxZCcWPzP018Z0sln8X3P+TDMBHmX0ec=; b=IKwUFcnfHcYzCQLxCNuCgZEi+C5zmrojrYLbn8NMVYfv9zqU9AlgVyRPnfizvSm0uRUws/hqMYfy/TBd/h9+vPqLRxfrXhPk9JbnFfN+2+FEfusz8VtZ/BxgqNe7vuwM28NRC3N6O5DSjQLXJEwG/IuDtBeAM6WJSQvPZaiQCuU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1757972526574853.6320622073131; Mon, 15 Sep 2025 14:42:06 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uyGvn-0000OI-1d; Mon, 15 Sep 2025 17:40:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uyGvh-0000N7-8k for qemu-devel@nongnu.org; Mon, 15 Sep 2025 17:40:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uyGvI-0000rU-IF for qemu-devel@nongnu.org; Mon, 15 Sep 2025 17:40:07 -0400 Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-626-wYTVXPBUOGqgsqI8QchWFw-1; Mon, 15 Sep 2025 17:39:37 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 29C08195608E; Mon, 15 Sep 2025 21:39:36 +0000 (UTC) Received: from green.redhat.com (unknown [10.2.16.73]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id B0736180035E; Mon, 15 Sep 2025 21:39:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1757972380; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+3/JMGmKU5SrxZCcWPzP018Z0sln8X3P+TDMBHmX0ec=; b=h27yqHUkYKjvN3+EfOny3WoJCSZcuIvt+G9PUUOuib2gceVGv1q10eZrPXdWgCc9mKC1ZU D6ekfH7y6Xdw0IQalzFi77IOslOEhFCUknP4YbLYjFRrnwgBLw0nZQ14XmMzUN7bwNUgue j3CFEZE3JQPiuGWs2sTwcVRCzYlp0Q8= X-MC-Unique: wYTVXPBUOGqgsqI8QchWFw-1 X-Mimecast-MFC-AGG-ID: wYTVXPBUOGqgsqI8QchWFw_1757972376 From: Eric Blake To: qemu-devel@nongnu.org Cc: Kevin Wolf , Hanna Reitz , Fam Zheng , qemu-block@nongnu.org (open list:qcow2) Subject: [PATCH v3 2/2] qcow2, vmdk: Restrict creation with secondary file using protocol Date: Mon, 15 Sep 2025 16:37:27 -0500 Message-ID: <20250915213919.3121401-6-eblake@redhat.com> In-Reply-To: <20250915213919.3121401-4-eblake@redhat.com> References: <20250915213919.3121401-4-eblake@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=eblake@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, T_SPF_TEMPERROR=0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1757972528748116600 Content-Type: text/plain; charset="utf-8" Ever since CVE-2024-4467 (see commit 7ead9469 in qemu v9.1.0), we have intentionally treated the opening of secondary files whose name is specified in the contents of the primary file, such as a qcow2 data_file, as something that must be a local file and not a protocol prefix (it is still possible to open a qcow2 file that wraps an NBD data image by using QMP commands, but that is from the explicit action of the QMP overriding any string encoded in the qcow2 file). At the time, we did not prevent the use of protocol prefixes on the secondary image while creating a qcow2 file, but it results in a qcow2 file that records an empty string for the data_file, rather than the protocol passed in during creation: $ qemu-img create -f raw datastore.raw 2G $ qemu-nbd -e 0 -t -f raw datastore.raw & $ qemu-img create -f qcow2 -o data_file=3Dnbd://localhost:10809/ \ datastore_nbd.qcow2 2G Formatting 'datastore_nbd.qcow2', fmt=3Dqcow2 cluster_size=3D65536 extended= _l2=3Doff compression_type=3Dzlib size=3D2147483648 data_file=3Dnbd://local= host:10809/ lazy_refcounts=3Doff refcount_bits=3D16 $ qemu-img info datastore_nbd.qcow2 | grep data $ qemu-img info datastore_nbd.qcow2 | grep data image: datastore_nbd.qcow2 data file: data file raw: false filename: datastore_nbd.qcow2 And since an empty string was recorded in the file, attempting to open the image without using QMP to supply the NBD data store fails, with a somewhat confusing error message: $ qemu-io -f qcow2 datastore_nbd.qcow2 qemu-io: can't open device datastore_nbd.qcow2: The 'file' block driver req= uires a file name Although the ability to create an image with a convenience reference to a protocol data file is not a security hole (unlike the case with open, the image is not untrusted if we are the ones creating it), the above demo shows that it is still inconsistent. Thus, it makes more sense if we also insist that image creation rejects a protocol prefix when using the same syntax. Now, the above attempt produces: $ qemu-img create -f qcow2 -o data_file=3Dnbd://localhost:10809/ \ datastore_nbd.qcow2 2G Formatting 'datastore_nbd.qcow2', fmt=3Dqcow2 cluster_size=3D65536 extended= _l2=3Doff compression_type=3Dzlib size=3D2147483648 data_file=3Dnbd://local= host:10809/ lazy_refcounts=3Doff refcount_bits=3D16 qemu-img: datastore_nbd.qcow2: Could not create 'nbd://localhost:10809/': N= o such file or directory with datastore_nbd.qcow2 no longer created. Signed-off-by: Eric Blake --- block/qcow2.c | 2 +- block/vmdk.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index ec72e272143..cb0bdb32eca 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -3971,7 +3971,7 @@ qcow2_co_create_opts(BlockDriver *drv, const char *fi= lename, QemuOpts *opts, /* Create and open an external data file (protocol layer) */ val =3D qdict_get_try_str(qdict, BLOCK_OPT_DATA_FILE); if (val) { - ret =3D bdrv_co_create_file(val, opts, true, errp); + ret =3D bdrv_co_create_file(val, opts, false, errp); if (ret < 0) { goto finish; } diff --git a/block/vmdk.c b/block/vmdk.c index eb3c174eca4..3b35b63cb59 100644 --- a/block/vmdk.c +++ b/block/vmdk.c @@ -2334,7 +2334,7 @@ vmdk_create_extent(const char *filename, int64_t file= size, bool flat, int ret; BlockBackend *blk =3D NULL; - ret =3D bdrv_co_create_file(filename, opts, true, errp); + ret =3D bdrv_co_create_file(filename, opts, false, errp); if (ret < 0) { goto exit; } --=20 2.51.0