[PATCH v2 2/2] qcow2: Fix corruption bug in qcow2_detect_metadata_preallocation()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, psyhomb@gmail.com, michael@weiser.dinsnail.net,
	vsementsov@virtuozzo.com, den@virtuozzo.com,
	qemu-devel@nongnu.org, qemu-stable@nongnu.org,
	dgilbert@redhat.com, mreitz@redhat.com, lersek@redhat.com
Subject: [PATCH v2 2/2] qcow2: Fix corruption bug in qcow2_detect_metadata_preallocation()
Date: Thu, 24 Oct 2019 16:26:58 +0200	[thread overview]
Message-ID: <20191024142658.22306-3-kwolf@redhat.com> (raw)
In-Reply-To: <20191024142658.22306-1-kwolf@redhat.com>

qcow2_detect_metadata_preallocation() calls qcow2_get_refcount() which
requires s->lock to be taken to protect its accesses to the refcount
table and refcount blocks. However, nothing in this code path actually
took the lock. This could cause the same cache entry to be used by two
requests at the same time, for different tables at different offsets,
resulting in image corruption.

As it would be preferable to base the detection on consistent data (even
though it's just heuristics), let's take the lock not only around the
qcow2_get_refcount() calls, but around the whole function.

This patch takes the lock in qcow2_co_block_status() earlier and asserts
in qcow2_detect_metadata_preallocation() that we hold the lock.

Fixes: 69f47505ee66afaa513305de0c1895a224e52c45
Cc: qemu-stable@nongnu.org
Reported-by: Michael Weiser <michael@weiser.dinsnail.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
---
 block/qcow2-refcount.c | 2 ++
 block/qcow2.c          | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index ef965d7895..0d64bf5a5e 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -3455,6 +3455,8 @@ int qcow2_detect_metadata_preallocation(BlockDriverState *bs)
     int64_t i, end_cluster, cluster_count = 0, threshold;
     int64_t file_length, real_allocation, real_clusters;
 
+    qemu_co_mutex_assert_locked(&s->lock);
+
     file_length = bdrv_getlength(bs->file->bs);
     if (file_length < 0) {
         return file_length;
diff --git a/block/qcow2.c b/block/qcow2.c
index 8b05933565..0bc69e6996 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1916,6 +1916,8 @@ static int coroutine_fn qcow2_co_block_status(BlockDriverState *bs,
     unsigned int bytes;
     int status = 0;
 
+    qemu_co_mutex_lock(&s->lock);
+
     if (!s->metadata_preallocation_checked) {
         ret = qcow2_detect_metadata_preallocation(bs);
         s->metadata_preallocation = (ret == 1);
@@ -1923,7 +1925,6 @@ static int coroutine_fn qcow2_co_block_status(BlockDriverState *bs,
     }
 
     bytes = MIN(INT_MAX, count);
-    qemu_co_mutex_lock(&s->lock);
     ret = qcow2_get_cluster_offset(bs, offset, &bytes, &cluster_offset);
     qemu_co_mutex_unlock(&s->lock);
     if (ret < 0) {
-- 
2.20.1

next prev parent reply	other threads:[~2019-10-24 16:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-24 14:26 [PATCH v2 0/2] qcow2: Fix image corruption bug in 4.1 Kevin Wolf
2019-10-24 14:26 ` [PATCH v2 1/2] coroutine: Add qemu_co_mutex_assert_locked() Kevin Wolf
2019-10-24 15:35   ` Vladimir Sementsov-Ogievskiy
2019-10-24 15:50     ` Denis Lunev
2019-10-24 14:26 ` Kevin Wolf [this message]
2019-10-25 10:44 ` [PATCH v2 0/2] qcow2: Fix image corruption bug in 4.1 Max Reitz
2019-10-25 14:42 ` Michael Weiser

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ef965d789 dfblob:0d64bf5a5 dfblob:8b0593356 dfblob:0bc69e699 )
 OR (
bs:"[PATCH v2 2/2] qcow2: Fix corruption bug in qcow2_detect_metadata_preallocation()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191024142658.22306-3-kwolf@redhat.com \
    --to=kwolf@redhat.com \
    --cc=den@virtuozzo.com \
    --cc=dgilbert@redhat.com \
    --cc=lersek@redhat.com \
    --cc=michael@weiser.dinsnail.net \
    --cc=mreitz@redhat.com \
    --cc=psyhomb@gmail.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    --cc=vsementsov@virtuozzo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.