Am 24.02.25 um 15:57 schrieb Fiona Ebner:
> It is necessary to reset the error pointer after error_report_err(),
> because that function frees the error. Not doing so can lead to a
> use-after-free and in particular error_setg() with the same error
> pointer will run into assertion failure, because it asserts that no
> previous error is set:
>
>> #5 0x00007c1723674eb2 in __GI___assert_fail
>> (assertion=assertion@entry=0x59132c9fc540 "*errp == NULL",
>> file=file@entry=0x59132c9fc530 "../util/error.c", line=line@entry=68,
>> function=function@entry=0x59132c9fc5f8 <__PRETTY_FUNCTION__.2>
>> "error_setv")
>> #6 0x000059132c7d250f in error_setv (errp=0x7c15839fafb8,
>> src=0x59132c9af224 "../block/dirty-bitmap.c", line=182,
>> func=0x59132c9af9b0 <__func__.17> "bdrv_dirty_bitmap_check",
>> err_class=err_class@entry=ERROR_CLASS_GENERIC_ERROR,
>> fmt=fmt@entry=0x59132c9af380 "Bitmap '%s' is currently in use by another
>> operation and cannot be used", ap=0x7c15839fad60,
>> suffix=0x0)
>> #7 0x000059132c7d265c in error_setg_internal
>> (errp=errp@entry=0x7c15839fafb8,
>> src=src@entry=0x59132c9af224 "../block/dirty-bitmap.c",
>> line=line@entry=182,
>> func=func@entry=0x59132c9af9b0 <__func__.17> "bdrv_dirty_bitmap_check",
>> fmt=fmt@entry=0x59132c9af380 "Bitmap '%s' is currently in use by another
>> operation and cannot be used")
>> #8 0x000059132c68fbc1 in bdrv_dirty_bitmap_check
>> (bitmap=bitmap@entry=0x5913542d6190, flags=flags@entry=7,
>> errp=errp@entry=0x7c15839fafb8)
>> #9 0x000059132c3b951d in add_bitmaps_to_list (s=s@entry=0x59132d87ee40
>> <dbm_state>, bs=bs@entry=0x591352d6b720,
>> bs_name=bs_name@entry=0x591352d69900 "drive-scsi1",
>> alias_map=alias_map@entry=0x0, errp=errp@entry=0x7c15839fafb8)
>> #10 0x000059132c3ba23d in init_dirty_bitmap_migration (errp=<optimized out>,
>> s=0x59132d87ee40 <dbm_state>)
>> #11 dirty_bitmap_save_setup (f=0x591352ebdd30, opaque=0x59132d87ee40
>> <dbm_state>, errp=0x7c15839fafb8)
>> #12 0x000059132c3d81f0 in qemu_savevm_state_setup (f=0x591352ebdd30,
>> errp=errp@entry=0x7c15839fafb8)
>
> Fix created using the appropriate in-tree coccinelle script:
> spatch --in-place scripts/coccinelle/error-use-after-free.cocci
> migration/block-dirty-bitmap.c
>
> The problematic change exposing the issue was part of 7882afe ("update
> submodule and patches to QEMU 9.1.2") adapting to QEMU 9.1, commit
> dd03167725 ("migration: Add Error** argument to
> add_bitmaps_to_list()"), where the add_bitmaps_to_list() function
> gained an error pointer argument, replacing the local error variable
> that was used before.
>
> Fixes: 7882afe ("update submodule and patches to QEMU 9.1.2")
> Signed-off-by: Fiona Ebner <f.eb...@proxmox.com>
> ---
>
> No changes in v2.
>
> ...tion-block-dirty-bitmap-migrate-other-bitmaps-e.patch | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
>
applied both patches, thanks!
And it's nice to see the use of structured/semantic patching through coccinelle.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
