From: Stefan Hajnoczi <stefanha@gmail.com>
To: Fam Zheng <famz@redhat.com>
Cc: kwolf@redhat.com, rjones@redhat.com, armbru@redhat.com,
qemu-devel@nongnu.org, imain@redhat.com, stefanha@redhat.com,
pbonzini@redhat.com
Subject: Re: [Qemu-devel] [PATCH v8 08/12] block: Parse "backing" option to reference existing BDS
Date: Fri, 3 Jan 2014 17:19:01 +0800 [thread overview]
Message-ID: <20140103091901.GC1483@stefanha-thinkpad.redhat.com> (raw)
In-Reply-To: <1386920120-2651-9-git-send-email-famz@redhat.com>
On Fri, Dec 13, 2013 at 03:35:16PM +0800, Fam Zheng wrote:
> diff --git a/block.c b/block.c
> index b3993d7..fba7148 100644
> --- a/block.c
> +++ b/block.c
> @@ -1191,11 +1191,25 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options,
> /* If there is a backing file, use it */
> if ((flags & BDRV_O_NO_BACKING) == 0) {
> QDict *backing_options;
> -
> - qdict_extract_subqdict(options, &backing_options, "backing.");
> - ret = bdrv_open_backing_file(bs, backing_options, &local_err);
> - if (ret < 0) {
> - goto close_and_fail;
> + const char *backing_name;
> + BlockDriverState *backing_hd;
> +
> + backing_name = qdict_get_try_str(options, "backing");
> + qdict_del(options, "backing");
This causes a use-after-free since backing_name is a const char pointer
to the qdict element!
> + if (backing_name) {
> + backing_hd = bdrv_find(backing_name);
> + if (!backing_hd) {
> + error_set(&local_err, QERR_DEVICE_NOT_FOUND, backing_name);
> + ret = -ENOENT;
> + goto close_and_fail;
> + }
> + bdrv_set_backing_hd(bs, backing_hd);
> + } else {
> + qdict_extract_subqdict(options, &backing_options, "backing.");
> + ret = bdrv_open_backing_file(bs, backing_options, &local_err);
> + if (ret < 0) {
> + goto close_and_fail;
> + }
> }
Seems like users can specify backing=foo backing.file=/tmp/a and we
ignore backing.file. Is it useful to silently ignore the backing.
subdict? The user may have given useless options by mistake. An error
would help prevent weird options combinations.
> }
>
> @@ -1682,7 +1696,6 @@ void bdrv_swap(BlockDriverState *bs_new, BlockDriverState *bs_old)
> assert(QLIST_EMPTY(&bs_new->dirty_bitmaps));
> assert(bs_new->job == NULL);
> assert(bs_new->dev == NULL);
> - assert(bdrv_op_blocker_is_empty(bs_new));
> assert(bs_new->io_limits_enabled == false);
> assert(!throttle_have_timer(&bs_new->throttle_state));
>
> @@ -1701,7 +1714,6 @@ void bdrv_swap(BlockDriverState *bs_new, BlockDriverState *bs_old)
> /* Check a few fields that should remain attached to the device */
> assert(bs_new->dev == NULL);
> assert(bs_new->job == NULL);
> - assert(bdrv_op_blocker_is_empty(bs_new));
> assert(bs_new->io_limits_enabled == false);
> assert(!throttle_have_timer(&bs_new->throttle_state));
Why are these hunks part of this patch? I guess it makes sense *not* to
check for blockers in bdrv_swap(). Instead the high-level functions in
blockdev.c and elsewhere should check blockers.
next prev parent reply other threads:[~2014-01-03 9:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-13 7:35 [Qemu-devel] [PATCH v8 00/12] Drop in_use from BlockDriverState and enable point-in-time snapshot exporting over NBD Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 01/12] blkdebug: Use QLIST_FOREACH_SAFE to resume IO Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 02/12] qapi: Add BlockOperationType enum Fam Zheng
2014-01-03 10:09 ` Stefan Hajnoczi
2014-01-08 2:28 ` Fam Zheng
2014-01-08 3:26 ` Stefan Hajnoczi
2014-01-08 3:31 ` Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 03/12] block: Introduce op_blockers to BlockDriverState Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 04/12] block: Replace in_use with operation blocker Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 05/12] block: Move op_blocker check from block_job_create to its caller Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 06/12] block: Add bdrv_set_backing_hd() Fam Zheng
2014-01-03 9:02 ` Stefan Hajnoczi
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 07/12] block: Add backing_blocker in BlockDriverState Fam Zheng
2014-01-03 9:09 ` Stefan Hajnoczi
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 08/12] block: Parse "backing" option to reference existing BDS Fam Zheng
2014-01-03 9:19 ` Stefan Hajnoczi [this message]
2014-01-08 6:18 ` Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 09/12] block: Support dropping active in bdrv_drop_intermediate Fam Zheng
2014-01-03 10:04 ` Stefan Hajnoczi
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 10/12] stream: Use bdrv_drop_intermediate and drop close_unused_images Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 11/12] qmp: Add command 'blockdev-backup' Fam Zheng
2013-12-13 7:35 ` [Qemu-devel] [PATCH v8 12/12] block: Allow backup on referenced named BlockDriverState Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140103091901.GC1483@stefanha-thinkpad.redhat.com \
--to=stefanha@gmail.com \
--cc=armbru@redhat.com \
--cc=famz@redhat.com \
--cc=imain@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).