From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43063) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vz0uY-0002P6-IC for qemu-devel@nongnu.org; Fri, 03 Jan 2014 04:19:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vz0uQ-0005lL-62 for qemu-devel@nongnu.org; Fri, 03 Jan 2014 04:19:22 -0500 Received: from mail-ee0-x233.google.com ([2a00:1450:4013:c00::233]:52509) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vz0uP-0005l1-VP for qemu-devel@nongnu.org; Fri, 03 Jan 2014 04:19:14 -0500 Received: by mail-ee0-f51.google.com with SMTP id b15so6655034eek.38 for ; Fri, 03 Jan 2014 01:19:13 -0800 (PST) Date: Fri, 3 Jan 2014 17:19:01 +0800 From: Stefan Hajnoczi Message-ID: <20140103091901.GC1483@stefanha-thinkpad.redhat.com> References: <1386920120-2651-1-git-send-email-famz@redhat.com> <1386920120-2651-9-git-send-email-famz@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1386920120-2651-9-git-send-email-famz@redhat.com> Subject: Re: [Qemu-devel] [PATCH v8 08/12] block: Parse "backing" option to reference existing BDS List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Fam Zheng Cc: kwolf@redhat.com, rjones@redhat.com, armbru@redhat.com, qemu-devel@nongnu.org, imain@redhat.com, stefanha@redhat.com, pbonzini@redhat.com On Fri, Dec 13, 2013 at 03:35:16PM +0800, Fam Zheng wrote: > diff --git a/block.c b/block.c > index b3993d7..fba7148 100644 > --- a/block.c > +++ b/block.c > @@ -1191,11 +1191,25 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options, > /* If there is a backing file, use it */ > if ((flags & BDRV_O_NO_BACKING) == 0) { > QDict *backing_options; > - > - qdict_extract_subqdict(options, &backing_options, "backing."); > - ret = bdrv_open_backing_file(bs, backing_options, &local_err); > - if (ret < 0) { > - goto close_and_fail; > + const char *backing_name; > + BlockDriverState *backing_hd; > + > + backing_name = qdict_get_try_str(options, "backing"); > + qdict_del(options, "backing"); This causes a use-after-free since backing_name is a const char pointer to the qdict element! > + if (backing_name) { > + backing_hd = bdrv_find(backing_name); > + if (!backing_hd) { > + error_set(&local_err, QERR_DEVICE_NOT_FOUND, backing_name); > + ret = -ENOENT; > + goto close_and_fail; > + } > + bdrv_set_backing_hd(bs, backing_hd); > + } else { > + qdict_extract_subqdict(options, &backing_options, "backing."); > + ret = bdrv_open_backing_file(bs, backing_options, &local_err); > + if (ret < 0) { > + goto close_and_fail; > + } > } Seems like users can specify backing=foo backing.file=/tmp/a and we ignore backing.file. Is it useful to silently ignore the backing. subdict? The user may have given useless options by mistake. An error would help prevent weird options combinations. > } > > @@ -1682,7 +1696,6 @@ void bdrv_swap(BlockDriverState *bs_new, BlockDriverState *bs_old) > assert(QLIST_EMPTY(&bs_new->dirty_bitmaps)); > assert(bs_new->job == NULL); > assert(bs_new->dev == NULL); > - assert(bdrv_op_blocker_is_empty(bs_new)); > assert(bs_new->io_limits_enabled == false); > assert(!throttle_have_timer(&bs_new->throttle_state)); > > @@ -1701,7 +1714,6 @@ void bdrv_swap(BlockDriverState *bs_new, BlockDriverState *bs_old) > /* Check a few fields that should remain attached to the device */ > assert(bs_new->dev == NULL); > assert(bs_new->job == NULL); > - assert(bdrv_op_blocker_is_empty(bs_new)); > assert(bs_new->io_limits_enabled == false); > assert(!throttle_have_timer(&bs_new->throttle_state)); Why are these hunks part of this patch? I guess it makes sense *not* to check for blockers in bdrv_swap(). Instead the high-level functions in blockdev.c and elsewhere should check blockers.