Block patches for 5.0-rc0:

- Use-after-free fix - Fix for a memleak in an error path - Preventative measures against other potential use-after-frees, and against NULL deferences at runtime - iotest fixes -----BEGIN PGP SIGNATURE----- iQFFBAABCAAwFiEEkb62CjDbPohX0Rgp9AfbAGHVz0AFAl55+r0SHG1yZWl0ekBy ZWRoYXQuY29tAAoJEPQH2wBh1c9AypAH9ijjB8H/Vxp+A8DSIvMwXVDTEp2I+ACX +riIwJIgvpz9Vblf9PPFjGfoArBMtQwb4F91aPy+eDaYq+teaekmPU4YXGMz+/dG 5JDKoAbJJr1gwMrSOIW3kQ/MKvoP0hiEFgwXvBvXJkXiANb2sCIvrXXKr/gFB0vt M0/TERutiO7r+mkbfIVPKJahlaswguvoavqDak6kk5+OeOBpBoPwfPWlcjjEfGHb epZiZN/i6fHLphfD+TEmTIzQQQI6csPUDA/ORbhodVZ2sQJ5kVfLVs+69RAwilC6 L3F1SnstnXcazUYlWOIicTJfKfC0BubM2Sofs7mfPFwN6I8A6PRTtw== =KpHc -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-03-24' into staging Block patches for 5.0-rc0: - Use-after-free fix - Fix for a memleak in an error path - Preventative measures against other potential use-after-frees, and against NULL deferences at runtime - iotest fixes # gpg: Signature made Tue 24 Mar 2020 12:19:09 GMT # gpg: using RSA key 91BEB60A30DB3E8857D11829F407DB0061D5CF40 # gpg: issuer "mreitz@redhat.com" # gpg: Good signature from "Max Reitz <mreitz@redhat.com>" [full] # Primary key fingerprint: 91BE B60A 30DB 3E88 57D1 1829 F407 DB00 61D5 CF40 * remotes/maxreitz/tags/pull-block-2020-03-24: iotests/026: Move v3-exclusive test to new file iotests: Fix cleanup path in some tests block/qcow2: zero data_file child after free block: bdrv_set_backing_bs: fix use-after-free block: Assert BlockDriver::format_name is not NULL block: Avoid memleak on qcow2 image info failure Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-03-24 12:24:41 +00:00 · 2020-03-24 12:24:41 +00:00 · 62a43e53fa
parent 09a98dd988 c264e5d2f9
commit 62a43e53fa
11 changed files with 111 additions and 45 deletions
--- a/block.c
+++ b/block.c
@ -363,6 +363,7 @@ char *bdrv_get_full_backing_filename(BlockDriverState *bs, Error **errp)

 void bdrv_register(BlockDriver *bdrv)
 {
+    assert(bdrv->format_name);
    QLIST_INSERT_HEAD(&bdrv_drivers, bdrv, list);
 }

@ -2759,10 +2760,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,

    if (bs->backing) {
        bdrv_unref_child(bs, bs->backing);
+        bs->backing = NULL;
    }

    if (!backing_hd) {
-        bs->backing = NULL;
        goto out;
    }

--- a/block/qcow2.c
+++ b/block/qcow2.c
@ -1758,6 +1758,7 @@ static int coroutine_fn qcow2_do_open(BlockDriverState *bs, QDict *options,
    g_free(s->image_data_file);
    if (has_data_file(bs)) {
        bdrv_unref_child(bs, s->data_file);
+        s->data_file = NULL;
    }
    g_free(s->unknown_header_fields);
    cleanup_unknown_header_ext(bs);
@ -2621,6 +2622,7 @@ static void qcow2_close(BlockDriverState *bs)

    if (has_data_file(bs)) {
        bdrv_unref_child(bs, s->data_file);
+        s->data_file = NULL;
    }

    qcow2_refcount_close(bs);
@ -4811,6 +4813,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs,
        if (local_err) {
            error_propagate(errp, local_err);
            qapi_free_ImageInfoSpecific(spec_info);
+            qapi_free_QCryptoBlockInfo(encrypt_info);
            return NULL;
        }
        *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){
--- a/tests/qemu-iotests/026
+++ b/tests/qemu-iotests/026
@ -240,37 +240,6 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io

 _check_test_img

-echo
-echo === Avoid freeing external data clusters on failure ===
-echo
-
-# Similar test as the last one, except we test what happens when there
-# is an error when writing to an external data file instead of when
-# writing to a preallocated zero cluster
-_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE
-
-# Put blkdebug above the data-file, and a raw node on top of that so
-# that blkdebug will see a write_aio event and emit an error
-$QEMU_IO -c "write 0 $CLUSTER_SIZE" \
-    "json:{
-         'driver': 'qcow2',
-         'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
-         'data-file': {
-             'driver': 'raw',
-             'file': {
-                 'driver': 'blkdebug',
-                 'config': '$TEST_DIR/blkdebug.conf',
-                 'image': {
-                     'driver': 'file',
-                     'filename': '$TEST_IMG.data_file'
-                 }
-             }
-         }
-     }" \
-    | _filter_qemu_io
-
-_check_test_img
-
 # success, all done
 echo "*** done"
 rm -f $seq.full
--- a/tests/qemu-iotests/026.out
+++ b/tests/qemu-iotests/026.out
@ -653,10 +653,4 @@ wrote 1024/1024 bytes at offset 0
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 write failed: Input/output error
 No errors were found on the image.
-
-=== Avoid freeing external data clusters on failure ===
-
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
-write failed: Input/output error
-No errors were found on the image.
 *** done
--- a/tests/qemu-iotests/026.out.nocache
+++ b/tests/qemu-iotests/026.out.nocache
@ -661,10 +661,4 @@ wrote 1024/1024 bytes at offset 0
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 write failed: Input/output error
 No errors were found on the image.
-
-=== Avoid freeing external data clusters on failure ===
-
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
-write failed: Input/output error
-No errors were found on the image.
 *** done
--- a/tests/qemu-iotests/085
+++ b/tests/qemu-iotests/085
@ -39,6 +39,7 @@ SNAPSHOTS=10
 _cleanup()
 {
    _cleanup_qemu
+    _cleanup_test_img
    for i in $(seq 1 ${SNAPSHOTS})
    do
        _rm_test_img "${TEST_DIR}/${i}-${snapshot_virt0}"
--- a/tests/qemu-iotests/087
+++ b/tests/qemu-iotests/087
@ -26,6 +26,12 @@ echo "QA output created by $seq"

 status=1	# failure is the default!

+_cleanup()
+{
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
 # get standard environment, filters and checks
 . ./common.rc
 . ./common.filter
--- a/tests/qemu-iotests/279
+++ b/tests/qemu-iotests/279
@ -26,7 +26,7 @@ status=1	# failure is the default!
 _cleanup()
 {
    _cleanup_test_img
-    rm -f "$TEST_IMG.mid"
+    _rm_test_img "$TEST_IMG.mid"
 }
 trap "_cleanup; exit \$status" 0 1 2 3 15

--- a/tests/qemu-iotests/289
+++ b/tests/qemu-iotests/289
@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+#
+# qcow2 v3-exclusive error path testing
+# (026 tests paths common to v2 and v3)
+#
+# Copyright (C) 2020 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+seq=$(basename $0)
+echo "QA output created by $seq"
+
+status=1	# failure is the default!
+
+_cleanup()
+{
+    _cleanup_test_img
+    rm "$TEST_DIR/blkdebug.conf"
+    rm -f "$TEST_IMG.data_file"
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+. ./common.pattern
+
+_supported_fmt qcow2
+_supported_proto file
+# This is a v3-exclusive test;
+# As for data_file, error paths often very much depend on whether
+# there is an external data file or not; so we create one exactly when
+# we want to test it
+_unsupported_imgopts 'compat=0.10' data_file
+
+echo
+echo === Avoid freeing external data clusters on failure ===
+echo
+
+cat > "$TEST_DIR/blkdebug.conf" <<EOF
+[inject-error]
+event = "write_aio"
+errno = "5"
+once = "on"
+EOF
+
+# Test what happens when there is an error when writing to an external
+# data file instead of when writing to a preallocated zero cluster
+_make_test_img -o "data_file=$TEST_IMG.data_file" 64k
+
+# Put blkdebug above the data-file, and a raw node on top of that so
+# that blkdebug will see a write_aio event and emit an error.  This
+# will then trigger the alloc abort code, which we want to test here.
+$QEMU_IO -c "write 0 64k" \
+    "json:{
+         'driver': 'qcow2',
+         'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
+         'data-file': {
+             'driver': 'raw',
+             'file': {
+                 'driver': 'blkdebug',
+                 'config': '$TEST_DIR/blkdebug.conf',
+                 'image': {
+                     'driver': 'file',
+                     'filename': '$TEST_IMG.data_file'
+                 }
+             }
+         }
+     }" \
+    | _filter_qemu_io
+
+_check_test_img
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
--- a/tests/qemu-iotests/289.out
+++ b/tests/qemu-iotests/289.out
@ -0,0 +1,8 @@
+QA output created by 289
+
+=== Avoid freeing external data clusters on failure ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=65536 data_file=TEST_DIR/t.IMGFMT.data_file
+write failed: Input/output error
+No errors were found on the image.
+*** done
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@ -295,3 +295,4 @@
 284 rw
 286 rw quick
 288 quick
+289 rw quick