From: Stefan Hajnoczi <stefanha@gmail.com>
To: Fam Zheng <famz@redhat.com>
Cc: kwolf@redhat.com, rjones@redhat.com, armbru@redhat.com,
qemu-devel@nongnu.org, imain@redhat.com, stefanha@redhat.com,
pbonzini@redhat.com
Subject: Re: [Qemu-devel] [PATCH v8 08/12] block: Parse "backing" option to reference existing BDS
Date: Fri, 3 Jan 2014 17:19:01 +0800 [thread overview]
Message-ID: <20140103091901.GC1483@stefanha-thinkpad.redhat.com> (raw)
In-Reply-To: <1386920120-2651-9-git-send-email-famz@redhat.com>
On Fri, Dec 13, 2013 at 03:35:16PM +0800, Fam Zheng wrote:
> diff --git a/block.c b/block.c
> index b3993d7..fba7148 100644
> --- a/block.c
> +++ b/block.c
> @@ -1191,11 +1191,25 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options,
> /* If there is a backing file, use it */
> if ((flags & BDRV_O_NO_BACKING) == 0) {
> QDict *backing_options;
> -
> - qdict_extract_subqdict(options, &backing_options, "backing.");
> - ret = bdrv_open_backing_file(bs, backing_options, &local_err);
> - if (ret < 0) {
> - goto close_and_fail;
> + const char *backing_name;
> + BlockDriverState *backing_hd;
> +
> + backing_name = qdict_get_try_str(options, "backing");
> + qdict_del(options, "backing");
This causes a use-after-free since backing_name is a const char pointer
to the qdict element!
> + if (backing_name) {
> + backing_hd = bdrv_find(backing_name);
> + if (!backing_hd) {
> + error_set(&local_err, QERR_DEVICE_NOT_FOUND, backing_name);
> + ret = -ENOENT;
> + goto close_and_fail;
> + }
> + bdrv_set_backing_hd(bs, backing_hd);
> + } else {
> + qdict_extract_subqdict(options, &backing_options, "backing.");
> + ret = bdrv_open_backing_file(bs, backing_options, &local_err);
> + if (ret < 0) {
> + goto close_and_fail;
> + }
> }
Seems like users can specify backing=foo backing.file=/tmp/a and we
ignore backing.file. Is it useful to silently ignore the backing.
subdict? The user may have given useless options by mistake. An error
would help prevent weird options combinations.
> }
>
> @@ -1682,7 +1696,6 @@ void bdrv_swap(BlockDriverState *bs_new, BlockDriverState *bs_old)
> assert(QLIST_EMPTY(&bs_new->dirty_bitmaps));
> assert(bs_new->job == NULL);
> assert(bs_new->dev == NULL);
> - assert(bdrv_op_blocker_is_empty(bs_new));
> assert(bs_new->io_limits_enabled == false);
> assert(!throttle_have_timer(&bs_new->throttle_state));
>
> @@ -1701,7 +1714,6 @@ void bdrv_swap(BlockDriverState *bs_new, BlockDriverState *bs_old)
> /* Check a few fields that should remain attached to the device */
> assert(bs_new->dev == NULL);
> assert(bs_new->job == NULL);
> - assert(bdrv_op_blocker_is_empty(bs_new));
> assert(bs_new->io_limits_enabled == false);
> assert(!throttle_have_timer(&bs_new->throttle_state));
Why are these hunks part of this patch? I guess it makes sense *not* to
check for blockers in bdrv_swap(). Instead the high-level functions in
blockdev.c and elsewhere should check blockers.
next prev parent reply other threads:[~2014-01-03 9:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-13 7:35 [Qemu-devel] [PATCH v8 00/12] Drop in_use from BlockDriverState and enable point-in-time snapshot exporting over NBD Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 01/12] blkdebug: Use QLIST_FOREACH_SAFE to resume IO Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 02/12] qapi: Add BlockOperationType enum Fam Zheng
2014-01-03 10:09 ` Stefan Hajnoczi
2014-01-08 2:28 ` Fam Zheng
2014-01-08 3:26 ` Stefan Hajnoczi
2014-01-08 3:31 ` Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 03/12] block: Introduce op_blockers to BlockDriverState Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 04/12] block: Replace in_use with operation blocker Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 05/12] block: Move op_blocker check from block_job_create to its caller Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 06/12] block: Add bdrv_set_backing_hd() Fam Zheng
2014-01-03 9:02 ` Stefan Hajnoczi
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 07/12] block: Add backing_blocker in BlockDriverState Fam Zheng
2014-01-03 9:09 ` Stefan Hajnoczi
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 08/12] block: Parse "backing" option to reference existing BDS Fam Zheng
2014-01-03 9:19 ` Stefan Hajnoczi [this message]
2014-01-08 6:18 ` Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 09/12] block: Support dropping active in bdrv_drop_intermediate Fam Zheng
2014-01-03 10:04 ` Stefan Hajnoczi
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 10/12] stream: Use bdrv_drop_intermediate and drop close_unused_images Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 11/12] qmp: Add command 'blockdev-backup' Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 12/12] block: Allow backup on referenced named BlockDriverState Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140103091901.GC1483@stefanha-thinkpad.redhat.com \
--to=stefanha@gmail.com \
--cc=armbru@redhat.com \
--cc=famz@redhat.com \
--cc=imain@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.