All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kevin Wolf <kwolf@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Qemu-block <qemu-block@nongnu.org>,
	QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion
Date: Mon, 10 Jul 2017 13:40:48 +0200	[thread overview]
Message-ID: <20170710114048.GC5772@noname.redhat.com> (raw)
In-Reply-To: <CAFEAcA-GcwUz0UMJE-chqewQ3X6=ZD6NygywF6w-3J7sG7QzbA@mail.gmail.com>

Am 09.07.2017 um 19:09 hat Peter Maydell geschrieben:
> On 13 June 2017 at 17:46, Kevin Wolf <kwolf@redhat.com> wrote:
> > Am 13.06.2017 um 18:12 hat Peter Maydell geschrieben:
> >> On 7 June 2017 at 18:50, Kevin Wolf <kwolf@redhat.com> wrote:
> >> > diff --git a/block/commit.c b/block/commit.c
> >> > index a3028b2..af6fa68 100644
> >> > --- a/block/commit.c
> >> > +++ b/block/commit.c
> >> > @@ -89,6 +89,10 @@ static void commit_complete(BlockJob *job, void *opaque)
> >> >      int ret = data->ret;
> >> >      bool remove_commit_top_bs = false;
> >> >
> >> > +    /* Make sure overlay_bs and top stay around until bdrv_set_backing_hd() */
> >> > +    bdrv_ref(top);
> >> > +    bdrv_ref(overlay_bs);
> >> > +
> >> >      /* Remove base node parent that still uses BLK_PERM_WRITE/RESIZE before
> >> >       * the normal backing chain can be restored. */
> >> >      blk_unref(s->base);
> >>
> >> Hi -- coverity complains about this change, because bdrv_ref()
> >> assumes that its argument is not NULL, but later on in commit_complete()
> >> we have a check
> >>     "if (overlay_bs && ...)"
> >> which assumes its argument might be NULL. (CID 1376205)
> >>
> >> Which is correct?
> >
> > I saw the Coverity report and am looking into it. It's not completely
> > clear to me yet which is correct, but I suspect it can be NULL.
> 
> Just a nudge on this one -- I don't think there's been a patch sent
> to the list for this check-after-use ?
> 
> (It's one of just 7 coverity issues left which haven't had at least
> a patch sent to the list now...)

As far as I can tell, this can't currently be triggered. I intended to
fix it with some work on the commit block job that I need to do anyway,
and which would potentially enable a way to trigger it. But it turned
out that this is a bit more complicated than I thought.

So maybe I'd better just post a very small patch that silences Coverity
(without making a practical difference) until I can finish the real
thing.

Kevin

  reply	other threads:[~2017-07-10 11:40 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-07 17:50 [Qemu-devel] [PULL 0/8] Block layer patches Kevin Wolf
2017-06-07 17:50 ` [Qemu-devel] [PULL 1/8] block: Fix anonymous BBs in blk_root_inactivate() Kevin Wolf
2017-06-07 17:50 ` [Qemu-devel] [PULL 2/8] migration: Inactivate images after .save_live_complete_precopy() Kevin Wolf
2017-06-07 17:50 ` [Qemu-devel] [PULL 3/8] migration/block: Clean up BBs in block_save_complete() Kevin Wolf
2017-06-07 17:50 ` [Qemu-devel] [PULL 4/8] qemu-iotests: Block migration test Kevin Wolf
2017-06-07 17:50 ` [Qemu-devel] [PULL 5/8] commit: Fix use after free in completion Kevin Wolf
2017-06-13 16:12   ` Peter Maydell
2017-06-13 16:46     ` Kevin Wolf
2017-07-09 17:09       ` Peter Maydell
2017-07-10 11:40         ` Kevin Wolf [this message]
2017-06-07 17:50 ` [Qemu-devel] [PULL 6/8] qemu-iotests: Test automatic commit job cancel on hot unplug Kevin Wolf
2017-06-07 17:50 ` [Qemu-devel] [PULL 7/8] block/qcow.c: Fix memory leak in qcow_create() Kevin Wolf
2017-06-07 17:50 ` [Qemu-devel] [PULL 8/8] block: fix external snapshot abort permission error Kevin Wolf
2017-06-12 10:22 ` [Qemu-devel] [PULL 0/8] Block layer patches Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170710114048.GC5772@noname.redhat.com \
    --to=kwolf@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.