From: Kevin Wolf <kwolf@redhat.com>
To: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Cc: "Mansour Ahmadi" <ManSoSec@gmail.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
qemu-devel@nongnu.org, Qemu-block <qemu-block@nongnu.org>
Subject: Re: Potential Null dereference
Date: Tue, 24 Mar 2020 13:58:24 +0100 [thread overview]
Message-ID: <20200324125824.GH5417@linux.fritz.box> (raw)
In-Reply-To: <c99b61b9-08eb-92cc-5590-e28076b23e43@virtuozzo.com>
Am 24.03.2020 um 13:37 hat Vladimir Sementsov-Ogievskiy geschrieben:
> 24.03.2020 14:59, Vladimir Sementsov-Ogievskiy wrote:
> > Aha, new crashes! Let's look at them.
> >
> > 41 and 155 failed with crash, 141 without but I see "+{"error": {"class": "GenericError", "desc": "Block device drv0 is in use"}}" in its output.
> >
> > Hmm, but all crashes are because of assert(QTAILQ_EMPTY(&all_bdrv_states)); in bdrv_close_all..
> >
> > So, we have a problem, but another one..
>
> Investigate it a bit more.
>
> Accordingly to comment, bdrv_attach_child unrefs child bs even on failure, so let's do
>
> --- a/block.c
> +++ b/block.c
> @@ -2768,6 +2768,7 @@ void bdrv_set_backing_hd_ex(BlockDriverState *bs, BlockDriverState *backing_hd,
>
> if (bdrv_attach_child_fail) {
> bs->backing = NULL;
> + bdrv_unref(backing_hd);
> error_setg(errp, "Unpredicted failure :)");
> } else {
> bs->backing = bdrv_attach_child(bs, backing_hd, "backing", &child_backing,
>
>
> - then, all three tests fails, but without crashes. OK.
>
> The only interesting thing is that, it seems that bdrv_attach_child doesn't unref child on all failure paths.
>
> It calls bdrv_root_attach_child..
>
> which doesn't unref child on the path
>
> if (bdrv_get_aio_context(child_bs) != ctx) {
> ...
> if (ret < 0) {
> error_propagate(errp, local_err);
> g_free(child);
> bdrv_abort_perm_update(child_bs);
> return NULL;
> }
> }
>
> or am I wrong?
I think you're right, we need a bdrv_unref() there. The function comment
makes it clear that bdrv_root_attach_child() is supposed to consume the
reference both in success and error cases.
Kevin
next prev parent reply other threads:[~2020-03-24 12:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 3:05 Potential Null dereference Mansour Ahmadi
2020-03-24 7:14 ` Philippe Mathieu-Daudé
2020-03-24 9:50 ` Kevin Wolf
2020-03-24 11:59 ` Vladimir Sementsov-Ogievskiy
2020-03-24 12:37 ` Vladimir Sementsov-Ogievskiy
2020-03-24 12:58 ` Kevin Wolf [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-12-15 12:41 potential null dereference Jiri Slaby
2009-12-17 12:30 ` René Scharfe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200324125824.GH5417@linux.fritz.box \
--to=kwolf@redhat.com \
--cc=ManSoSec@gmail.com \
--cc=philmd@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.