[Qemu-devel] [PATCH 0/2] commit: Fix use after free in completion

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH 0/2] commit: Fix use after free in completion
@ 2017-06-02 21:12 Kevin Wolf
  2017-06-02 21:12 ` [Qemu-devel] [PATCH 1/2] " Kevin Wolf
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Kevin Wolf @ 2017-06-02 21:12 UTC (permalink / raw)
  To: qemu-block; +Cc: kwolf, mreitz, qemu-devel

Kevin Wolf (2):
  commit: Fix use after free in completion
  qemu-iotests: Test automatic commit job cancel on hot unplug

 block/commit.c             |  7 +++++++
 tests/qemu-iotests/040     | 35 +++++++++++++++++++++++++++++++++--
 tests/qemu-iotests/040.out |  4 ++--
 3 files changed, 42 insertions(+), 4 deletions(-)

-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Qemu-devel] [PATCH 1/2] commit: Fix use after free in completion
  2017-06-02 21:12 [Qemu-devel] [PATCH 0/2] commit: Fix use after free in completion Kevin Wolf
@ 2017-06-02 21:12 ` Kevin Wolf
  2017-06-09 11:45   ` Kevin Wolf
  2017-06-02 21:12 ` [Qemu-devel] [PATCH 2/2] qemu-iotests: Test automatic commit job cancel on hot unplug Kevin Wolf
  2017-06-02 23:28 ` [Qemu-devel] [Qemu-block] [PATCH 0/2] commit: Fix use after free in completion John Snow
  2 siblings, 1 reply; 5+ messages in thread
From: Kevin Wolf @ 2017-06-02 21:12 UTC (permalink / raw)
  To: qemu-block; +Cc: kwolf, mreitz, qemu-devel

The final bdrv_set_backing_hd() could be working on already freed nodes
because the commit job drops its references (through BlockBackends) to
both overlay_bs and top already a bit earlier.

One way to trigger the bug is hot unplugging a disk for which
blockdev_mark_auto_del() cancels the block job.

Fix this by taking BDS-level references while we're still using the
nodes.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/commit.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/block/commit.c b/block/commit.c
index a3028b2..af6fa68 100644
--- a/block/commit.c
+++ b/block/commit.c
@@ -89,6 +89,10 @@ static void commit_complete(BlockJob *job, void *opaque)
     int ret = data->ret;
     bool remove_commit_top_bs = false;
 
+    /* Make sure overlay_bs and top stay around until bdrv_set_backing_hd() */
+    bdrv_ref(top);
+    bdrv_ref(overlay_bs);
+
     /* Remove base node parent that still uses BLK_PERM_WRITE/RESIZE before
      * the normal backing chain can be restored. */
     blk_unref(s->base);
@@ -124,6 +128,9 @@ static void commit_complete(BlockJob *job, void *opaque)
     if (remove_commit_top_bs) {
         bdrv_set_backing_hd(overlay_bs, top, &error_abort);
     }
+
+    bdrv_unref(overlay_bs);
+    bdrv_unref(top);
 }
 
 static void coroutine_fn commit_run(void *opaque)
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [Qemu-devel] [PATCH 2/2] qemu-iotests: Test automatic commit job cancel on hot unplug
  2017-06-02 21:12 [Qemu-devel] [PATCH 0/2] commit: Fix use after free in completion Kevin Wolf
  2017-06-02 21:12 ` [Qemu-devel] [PATCH 1/2] " Kevin Wolf
@ 2017-06-02 21:12 ` Kevin Wolf
  2017-06-02 23:28 ` [Qemu-devel] [Qemu-block] [PATCH 0/2] commit: Fix use after free in completion John Snow
  2 siblings, 0 replies; 5+ messages in thread
From: Kevin Wolf @ 2017-06-02 21:12 UTC (permalink / raw)
  To: qemu-block; +Cc: kwolf, mreitz, qemu-devel

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 tests/qemu-iotests/040     | 35 +++++++++++++++++++++++++++++++++--
 tests/qemu-iotests/040.out |  4 ++--
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/tests/qemu-iotests/040 b/tests/qemu-iotests/040
index 5bdaf3d..9d381d9 100755
--- a/tests/qemu-iotests/040
+++ b/tests/qemu-iotests/040
@@ -70,7 +70,9 @@ class ImageCommitTestCase(iotests.QMPTestCase):
         self.wait_for_complete()
 
 class TestSingleDrive(ImageCommitTestCase):
-    image_len = 1 * 1024 * 1024
+    # Need some space after the copied data so that throttling is effective in
+    # tests that use it rather than just completing the job immediately
+    image_len = 2 * 1024 * 1024
     test_len = 1 * 1024 * 256
 
     def setUp(self):
@@ -79,7 +81,9 @@ class TestSingleDrive(ImageCommitTestCase):
         qemu_img('create', '-f', iotests.imgfmt, '-o', 'backing_file=%s' % mid_img, test_img)
         qemu_io('-f', 'raw', '-c', 'write -P 0xab 0 524288', backing_img)
         qemu_io('-f', iotests.imgfmt, '-c', 'write -P 0xef 524288 524288', mid_img)
-        self.vm = iotests.VM().add_drive(test_img)
+        self.vm = iotests.VM().add_drive(test_img, interface="none")
+        self.vm.add_device("virtio-scsi-pci")
+        self.vm.add_device("scsi-hd,id=scsi0,drive=drive0")
         self.vm.launch()
 
     def tearDown(self):
@@ -131,6 +135,33 @@ class TestSingleDrive(ImageCommitTestCase):
         self.assert_qmp(result, 'error/class', 'GenericError')
         self.assert_qmp(result, 'error/desc', 'Base \'%s\' not found' % mid_img)
 
+    # When the job is running on a BB that is automatically deleted on hot
+    # unplug, the job is cancelled when the device disappears
+    def test_hot_unplug(self):
+        if self.image_len == 0:
+            return
+
+        self.assert_no_active_block_jobs()
+        result = self.vm.qmp('block-commit', device='drive0', top=mid_img,
+                             base=backing_img, speed=(self.image_len / 4))
+        self.assert_qmp(result, 'return', {})
+        result = self.vm.qmp('device_del', id='scsi0')
+        self.assert_qmp(result, 'return', {})
+
+        cancelled = False
+        deleted = False
+        while not cancelled or not deleted:
+            for event in self.vm.get_qmp_events(wait=True):
+                if event['event'] == 'DEVICE_DELETED':
+                    self.assert_qmp(event, 'data/device', 'scsi0')
+                    deleted = True
+                elif event['event'] == 'BLOCK_JOB_CANCELLED':
+                    self.assert_qmp(event, 'data/device', 'drive0')
+                    cancelled = True
+                else:
+                    self.fail("Unexpected event %s" % (event['event']))
+
+        self.assert_no_active_block_jobs()
 
 class TestRelativePaths(ImageCommitTestCase):
     image_len = 1 * 1024 * 1024
diff --git a/tests/qemu-iotests/040.out b/tests/qemu-iotests/040.out
index 4fd1c2d..6d9bee1 100644
--- a/tests/qemu-iotests/040.out
+++ b/tests/qemu-iotests/040.out
@@ -1,5 +1,5 @@
-.........................
+...........................
 ----------------------------------------------------------------------
-Ran 25 tests
+Ran 27 tests
 
 OK
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [Qemu-block] [PATCH 0/2] commit: Fix use after free in completion
  2017-06-02 21:12 [Qemu-devel] [PATCH 0/2] commit: Fix use after free in completion Kevin Wolf
  2017-06-02 21:12 ` [Qemu-devel] [PATCH 1/2] " Kevin Wolf
  2017-06-02 21:12 ` [Qemu-devel] [PATCH 2/2] qemu-iotests: Test automatic commit job cancel on hot unplug Kevin Wolf
@ 2017-06-02 23:28 ` John Snow
  2 siblings, 0 replies; 5+ messages in thread
From: John Snow @ 2017-06-02 23:28 UTC (permalink / raw)
  To: Kevin Wolf, qemu-block; +Cc: qemu-devel, mreitz



On 06/02/2017 05:12 PM, Kevin Wolf wrote:
> Kevin Wolf (2):
>   commit: Fix use after free in completion
>   qemu-iotests: Test automatic commit job cancel on hot unplug
> 
>  block/commit.c             |  7 +++++++
>  tests/qemu-iotests/040     | 35 +++++++++++++++++++++++++++++++++--
>  tests/qemu-iotests/040.out |  4 ++--
>  3 files changed, 42 insertions(+), 4 deletions(-)
> 

Reviewed-by: John Snow <jsnow@redhat.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH 1/2] commit: Fix use after free in completion
  2017-06-02 21:12 ` [Qemu-devel] [PATCH 1/2] " Kevin Wolf
@ 2017-06-09 11:45   ` Kevin Wolf
  0 siblings, 0 replies; 5+ messages in thread
From: Kevin Wolf @ 2017-06-09 11:45 UTC (permalink / raw)
  To: qemu-block; +Cc: mreitz, qemu-devel, qemu-stable

Am 02.06.2017 um 23:12 hat Kevin Wolf geschrieben:
> The final bdrv_set_backing_hd() could be working on already freed nodes
> because the commit job drops its references (through BlockBackends) to
> both overlay_bs and top already a bit earlier.
> 
> One way to trigger the bug is hot unplugging a disk for which
> blockdev_mark_auto_del() cancels the block job.
> 
> Fix this by taking BDS-level references while we're still using the
> nodes.
> 
> Signed-off-by: Kevin Wolf <kwolf@redhat.com>

Cc: qemu-stable@nongnu.org

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-06-09 11:45 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-02 21:12 [Qemu-devel] [PATCH 0/2] commit: Fix use after free in completion Kevin Wolf
2017-06-02 21:12 ` [Qemu-devel] [PATCH 1/2] " Kevin Wolf
2017-06-09 11:45   ` Kevin Wolf
2017-06-02 21:12 ` [Qemu-devel] [PATCH 2/2] qemu-iotests: Test automatic commit job cancel on hot unplug Kevin Wolf
2017-06-02 23:28 ` [Qemu-devel] [Qemu-block] [PATCH 0/2] commit: Fix use after free in completion John Snow

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).