qcow2: Fix corruption bug in qcow2_detect_metadata_preallocation()

qcow2_detect_metadata_preallocation() calls qcow2_get_refcount() which requires s->lock to be taken to protect its accesses to the refcount table and refcount blocks. However, nothing in this code path actually took the lock. This could cause the same cache entry to be used by two requests at the same time, for different tables at different offsets, resulting in image corruption. As it would be preferable to base the detection on consistent data (even though it's just heuristics), let's take the lock not only around the qcow2_get_refcount() calls, but around the whole function. This patch takes the lock in qcow2_co_block_status() earlier and asserts in qcow2_detect_metadata_preallocation() that we hold the lock. Fixes: 69f47505 Cc: qemu-stable@nongnu.org Reported-by: N Michael Weiser <michael.weiser@gmx.de> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> Tested-by: N Michael Weiser <michael.weiser@gmx.de> Reviewed-by: N Michael Weiser <michael.weiser@gmx.de> Reviewed-by: N Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: N Max Reitz <mreitz@redhat.com> (cherry picked from commit 5e978550) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>

qcow2: Fix corruption bug in qcow2_detect_metadata_preallocation()
qcow2_detect_metadata_preallocation() calls qcow2_get_refcount() which requires s->lock to be taken to protect its accesses to the refcount table and refcount blocks. However, nothing in this code path actually took the lock. This could cause the same cache entry to be used by two requests at the same time, for different tables at different offsets, resulting in image corruption. As it would be preferable to base the detection on consistent data (even though it's just heuristics), let's take the lock not only around the qcow2_get_refcount() calls, but around the whole function. This patch takes the lock in qcow2_co_block_status() earlier and asserts in qcow2_detect_metadata_preallocation() that we hold the lock. Fixes: 69f47505 Cc: qemu-stable@nongnu.org Reported-by: N Michael Weiser <michael.weiser@gmx.de> Signed-off-by: N Kevin Wolf <kwolf@redhat.com> Tested-by: N Michael Weiser <michael.weiser@gmx.de> Reviewed-by: N Michael Weiser <michael.weiser@gmx.de> Reviewed-by: N Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: N Max Reitz <mreitz@redhat.com> (cherry picked from commit 5e978550) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>
416a692e · Kevin Wolf · Michael Roth · e9bb3d94 · 416a692e · 416a692e
隐藏空白更改
内联并排

Showing with 4 addition and 1 deletion

block/qcow2-refcount.c block/qcow2-refcount.c +2 -0

block/qcow2.c block/qcow2.c +2 -1

未找到文件。
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -3455,6 +3455,8 @@ int qcow2_detect_metadata_preallocation(BlockDriverState *bs)
    int64_t i, end_cluster, cluster_count = 0, threshold;
    int64_t file_length, real_allocation, real_clusters;

+    qemu_co_mutex_assert_locked(&s->lock);
+
    file_length = bdrv_getlength(bs->file->bs);
    if (file_length < 0) {
        return file_length;

--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1899,6 +1899,8 @@ static int coroutine_fn qcow2_co_block_status(BlockDriverState *bs,
    unsigned int bytes;
    int status = 0;

+    qemu_co_mutex_lock(&s->lock);
+
    if (!s->metadata_preallocation_checked) {
        ret = qcow2_detect_metadata_preallocation(bs);
        s->metadata_preallocation = (ret == 1);
@@ -1906,7 +1908,6 @@ static int coroutine_fn qcow2_co_block_status(BlockDriverState *bs,
    }

    bytes = MIN(INT_MAX, count);
-    qemu_co_mutex_lock(&s->lock);
    ret = qcow2_get_cluster_offset(bs, offset, &bytes, &cluster_offset);
    qemu_co_mutex_unlock(&s->lock);
    if (ret < 0) {