* [PULL 0/2] Block layer patches
@ 2025-12-15 17:25 Kevin Wolf
2025-12-15 17:25 ` [PULL 1/2] tests/qemu-iotests: Fix check for existing file in _require_disk_usage() Kevin Wolf
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Kevin Wolf @ 2025-12-15 17:25 UTC (permalink / raw)
To: qemu-block; +Cc: kwolf, richard.henderson, qemu-devel
The following changes since commit 9c23f2a7b0b45277693a14074b1aaa827eecdb92:
Update version for v10.2.0-rc3 release (2025-12-09 16:44:49 -0600)
are available in the Git repository at:
https://repo.or.cz/qemu/kevin.git tags/for-upstream
for you to fetch changes up to 307bc43095b8ab1765fd66c26003d5da06681c05:
block: Fix BDS use after free during shutdown (2025-12-15 17:31:08 +0100)
----------------------------------------------------------------
Block layer patches
- Fix crash due to BDS use after free during shutdown (in particular
while migration is running)
- iotests: Fix a typo that made a check to prevent overwriting a file
ineffective
----------------------------------------------------------------
Kevin Wolf (1):
block: Fix BDS use after free during shutdown
Thomas Huth (1):
tests/qemu-iotests: Fix check for existing file in _require_disk_usage()
blockdev.c | 1 +
tests/qemu-iotests/common.rc | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PULL 1/2] tests/qemu-iotests: Fix check for existing file in _require_disk_usage()
2025-12-15 17:25 [PULL 0/2] Block layer patches Kevin Wolf
@ 2025-12-15 17:25 ` Kevin Wolf
2025-12-15 17:25 ` [PULL 2/2] block: Fix BDS use after free during shutdown Kevin Wolf
2025-12-16 15:37 ` [PULL 0/2] Block layer patches Richard Henderson
2 siblings, 0 replies; 4+ messages in thread
From: Kevin Wolf @ 2025-12-15 17:25 UTC (permalink / raw)
To: qemu-block; +Cc: kwolf, richard.henderson, qemu-devel
From: Thomas Huth <thuth@redhat.com>
Looks like the "$" has been forgotten here to get the contents of
the FILENAME variable.
Fixes: c49dda7254d ("iotests: Filter out ZFS in several tests")
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20251208075320.35682-1-thuth@redhat.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
tests/qemu-iotests/common.rc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
index 10d83d8361b..c0f8f0f8dfa 100644
--- a/tests/qemu-iotests/common.rc
+++ b/tests/qemu-iotests/common.rc
@@ -1008,7 +1008,7 @@ _require_disk_usage()
else
FILENAME="$TEST_IMG_FILE"
fi
- if [ -e "FILENAME" ]; then
+ if [ -e "$FILENAME" ]; then
echo "unwilling to overwrite existing file"
exit 1
fi
--
2.52.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PULL 2/2] block: Fix BDS use after free during shutdown
2025-12-15 17:25 [PULL 0/2] Block layer patches Kevin Wolf
2025-12-15 17:25 ` [PULL 1/2] tests/qemu-iotests: Fix check for existing file in _require_disk_usage() Kevin Wolf
@ 2025-12-15 17:25 ` Kevin Wolf
2025-12-16 15:37 ` [PULL 0/2] Block layer patches Richard Henderson
2 siblings, 0 replies; 4+ messages in thread
From: Kevin Wolf @ 2025-12-15 17:25 UTC (permalink / raw)
To: qemu-block; +Cc: kwolf, richard.henderson, qemu-devel
During shutdown, blockdev_close_all_bdrv_states() drops any block node
references that are still owned by the monitor (i.e. the user). However,
in doing so, it forgot to also remove the node from monitor_bdrv_states
(which qmp_blockdev_del() correctly does), which means that later calls
of bdrv_first()/bdrv_next() will still return the (now stale) pointer to
the node.
Usually there is no such call after this point, but in some cases it can
happen. In the reported case, there was an ongoing migration, and the
migration thread wasn't shut down yet: migration_shutdown() called by
qemu_cleanup() doesn't actually wait for the migration to be shut down,
but may just move it to MIGRATION_STATUS_CANCELLING. The next time
migration_iteration_finish() runs, it sees the status and tries to
re-activate all block devices that migration may have previously
inactivated. This is where bdrv_first()/bdrv_next() get called and the
access to the already freed node happens.
It is debatable if migration_shutdown() should really return before
migration has settled, but leaving a dangling pointer in the list of
monitor-owned block nodes is clearly a bug either way and fixing it
solves the immediate problem, so fix it.
Cc: qemu-stable@nongnu.org
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20251215150714.130214-1-kwolf@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
blockdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/blockdev.c b/blockdev.c
index dbd1d4d3e80..6e86c6262f9 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -686,6 +686,7 @@ void blockdev_close_all_bdrv_states(void)
GLOBAL_STATE_CODE();
QTAILQ_FOREACH_SAFE(bs, &monitor_bdrv_states, monitor_list, next_bs) {
+ QTAILQ_REMOVE(&monitor_bdrv_states, bs, monitor_list);
bdrv_unref(bs);
}
}
--
2.52.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PULL 0/2] Block layer patches
2025-12-15 17:25 [PULL 0/2] Block layer patches Kevin Wolf
2025-12-15 17:25 ` [PULL 1/2] tests/qemu-iotests: Fix check for existing file in _require_disk_usage() Kevin Wolf
2025-12-15 17:25 ` [PULL 2/2] block: Fix BDS use after free during shutdown Kevin Wolf
@ 2025-12-16 15:37 ` Richard Henderson
2 siblings, 0 replies; 4+ messages in thread
From: Richard Henderson @ 2025-12-16 15:37 UTC (permalink / raw)
To: Kevin Wolf, qemu-block; +Cc: qemu-devel
On 12/16/25 04:25, Kevin Wolf wrote:
> The following changes since commit 9c23f2a7b0b45277693a14074b1aaa827eecdb92:
>
> Update version for v10.2.0-rc3 release (2025-12-09 16:44:49 -0600)
>
> are available in the Git repository at:
>
> https://repo.or.cz/qemu/kevin.git tags/for-upstream
>
> for you to fetch changes up to 307bc43095b8ab1765fd66c26003d5da06681c05:
>
> block: Fix BDS use after free during shutdown (2025-12-15 17:31:08 +0100)
>
> ----------------------------------------------------------------
> Block layer patches
>
> - Fix crash due to BDS use after free during shutdown (in particular
> while migration is running)
> - iotests: Fix a typo that made a check to prevent overwriting a file
> ineffective
Applied, thanks. Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate.
r~
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-12-16 15:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-15 17:25 [PULL 0/2] Block layer patches Kevin Wolf
2025-12-15 17:25 ` [PULL 1/2] tests/qemu-iotests: Fix check for existing file in _require_disk_usage() Kevin Wolf
2025-12-15 17:25 ` [PULL 2/2] block: Fix BDS use after free during shutdown Kevin Wolf
2025-12-16 15:37 ` [PULL 0/2] Block layer patches Richard Henderson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).