Re: [PATCH v2] block: Drop detach_subchain for bdrv_replace_node

[Kevin Wolf <kwolf@redhat.com>]

Am 29.10.2025 um 14:27 hat Wesley Hershberger geschrieben:
> Detaching filters using detach_subchain=true can cause segfaults as
> described in #3149.
> 
> More specifically, this was observed when executing concurrent
> block-stream and query-named-block-nodes. block-stream adds a
> copy-on-read filter as the main BDS for the blockjob; that filter was
> dropped with detach_subchain=true but not unref'd until the the blockjob
> was free'd. Because query-named-block-nodes assumes that a filter will
> always have exactly one child, it caused a segfault when it observed the
> detached filter. Stacktrace:
> 
> 0  bdrv_refresh_filename (bs=0x5efed72f8350)
>     at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/block.c:8082
> 1  0x00005efea73cf9dc in bdrv_block_device_info
>     (blk=0x0, bs=0x5efed72f8350, flat=true, errp=0x7ffeb829ebd8)
>     at block/qapi.c:62
> 2  0x00005efea7391ed3 in bdrv_named_nodes_list
>     (flat=<optimized out>, errp=0x7ffeb829ebd8)
>     at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/block.c:6275
> 3  0x00005efea7471993 in qmp_query_named_block_nodes
>     (has_flat=<optimized out>, flat=<optimized out>, errp=0x7ffeb829ebd8)
>     at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/blockdev.c:2834
> 4  qmp_marshal_query_named_block_nodes
>     (args=<optimized out>, ret=0x7f2b753beec0, errp=0x7f2b753beec8)
>     at qapi/qapi-commands-block-core.c:553
> 5  0x00005efea74f03a5 in do_qmp_dispatch_bh (opaque=0x7f2b753beed0)
>     at qapi/qmp-dispatch.c:128
> 6  0x00005efea75108e6 in aio_bh_poll (ctx=0x5efed6f3f430)
>     at util/async.c:219
> 7  0x00005efea74ffdb2 in aio_dispatch (ctx=0x5efed6f3f430)
>     at util/aio-posix.c:436
> 8  0x00005efea7512846 in aio_ctx_dispatch (source=<optimized out>,
>     callback=<optimized out>,user_data=<optimized out>)
>     at util/async.c:361
> 9  0x00007f2b77809bfb in ?? ()
>     from /lib/x86_64-linux-gnu/libglib-2.0.so.0
> 10 0x00007f2b77809e70 in g_main_context_dispatch ()
>     from /lib/x86_64-linux-gnu/libglib-2.0.so.0
> 11 0x00005efea7517228 in glib_pollfds_poll () at util/main-loop.c:287
> 12 os_host_main_loop_wait (timeout=0) at util/main-loop.c:310
> 13 main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:589
> 14 0x00005efea7140482 in qemu_main_loop () at system/runstate.c:905
> 15 0x00005efea744e4e8 in qemu_default_main (opaque=opaque@entry=0x0)
>     at system/main.c:50
> 16 0x00005efea6e76319 in main
>     (argc=<optimized out>, argv=<optimized out>)
>     at system/main.c:93
> 
> As discussed in 20251024-second-fix-3149-v1-1-d997fa3d5ce2@canonical.com,
> a filter should not exist without children in the first place; therefore,
> drop the parameter entirely as it is only used for filters.
> 
> This is a partial revert of 3108a15cf09865456d499b08fe14e3dbec4ccbb3.
> 
> After this change, a blockdev-backup job's copy-before-write filter will
> hold references to its children until the filter is unref'd. This causes
> an additional flush during bdrv_close, so also update iotest 257.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3149
> Suggested-by: Kevin Wolf <kwolf@redhat.com>
> Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

Thanks, applied to the block branch.

Kevin