[v2] curl: Don't deref NULL pointer in call to aio_poll.

Message ID	1409213061-15562-2-git-send-email-rjones@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: "Richard W.M. Jones" <rjones@redhat.com> To: qemu-devel@nongnu.org Date: Thu, 28 Aug 2014 09:04:21 +0100 Message-Id: <1409213061-15562-2-git-send-email-rjones@redhat.com> In-Reply-To: <1409213061-15562-1-git-send-email-rjones@redhat.com> References: <1409213061-15562-1-git-send-email-rjones@redhat.com> Cc: pbonzini@redhat.com, famz@redhat.com, stefanha@redhat.com Subject: [Qemu-devel] [PATCH v2] curl: Don't deref NULL pointer in call to aio_poll. Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

1409213061-15562-2-git-send-email-rjones@redhat.com

State

New

Headers

From: "Richard W.M. Jones" <rjones@redhat.com>
To: qemu-devel@nongnu.org
Date: Thu, 28 Aug 2014 09:04:21 +0100
Message-Id: <1409213061-15562-2-git-send-email-rjones@redhat.com>
In-Reply-To: <1409213061-15562-1-git-send-email-rjones@redhat.com>
References: <1409213061-15562-1-git-send-email-rjones@redhat.com>
Cc: pbonzini@redhat.com, famz@redhat.com, stefanha@redhat.com
Subject: [Qemu-devel] [PATCH v2] curl: Don't deref NULL pointer in call to
	aio_poll.
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Richard W.M. Jones Aug. 28, 2014, 8:04 a.m. UTC

In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following
mechanical change was made:

         if (!state) {
-            qemu_aio_wait();
+            aio_poll(state->s->aio_context, true);
         }

The new code now checks if state is NULL and then dereferences it
('state->s') which is obviously incorrect.

This commit replaces state->s->aio_context with
bdrv_get_aio_context(bs), fixing this problem.  The two other hunks
are concerned with getting the BlockDriverState pointer bs to where it
is needed.

The original bug causes a segfault when using libguestfs to access a
VMware vCenter Server and doing any kind of complex read-heavy
operations.  With this commit the segfault goes away.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
---
 block/curl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Benoît Canet Aug. 28, 2014, 2:54 p.m. UTC | #1

The Thursday 28 Aug 2014 à 09:04:21 (+0100), Richard W.M. Jones wrote :
> In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following
> mechanical change was made:
> 
>          if (!state) {
> -            qemu_aio_wait();
> +            aio_poll(state->s->aio_context, true);
>          }
> 
> The new code now checks if state is NULL and then dereferences it
> ('state->s') which is obviously incorrect.
> 
> This commit replaces state->s->aio_context with
> bdrv_get_aio_context(bs), fixing this problem.  The two other hunks
> are concerned with getting the BlockDriverState pointer bs to where it
> is needed.
> 
> The original bug causes a segfault when using libguestfs to access a
> VMware vCenter Server and doing any kind of complex read-heavy
> operations.  With this commit the segfault goes away.
> 
> Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  block/curl.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/block/curl.c b/block/curl.c
> index d4b85d2..f59615d 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -352,7 +352,7 @@ static void curl_multi_timeout_do(void *arg)
>  #endif
>  }
>  
> -static CURLState *curl_init_state(BDRVCURLState *s)
> +static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
>  {
>      CURLState *state = NULL;
>      int i, j;
> @@ -370,7 +370,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
>              break;
>          }
>          if (!state) {
> -            aio_poll(state->s->aio_context, true);
> +            aio_poll(bdrv_get_aio_context(bs), true);
>          }
>      } while(!state);
>  
> @@ -541,7 +541,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
>      DPRINTF("CURL: Opening %s\n", file);
>      s->aio_context = bdrv_get_aio_context(bs);
>      s->url = g_strdup(file);
> -    state = curl_init_state(s);
> +    state = curl_init_state(bs, s);
>      if (!state)
>          goto out_noclean;
>  
> @@ -625,7 +625,7 @@ static void curl_readv_bh_cb(void *p)
>      }
>  
>      // No cache found, so let's start a new request
> -    state = curl_init_state(s);
> +    state = curl_init_state(acb->common.bs, s);
>      if (!state) {
>          acb->common.cb(acb->common.opaque, -EIO);
>          qemu_aio_release(acb);
> -- 
> 2.0.4
> 
> 
Reviewed-by: Benoît Canet <benoit.canet@nodalink.com>

Stefan Hajnoczi Aug. 29, 2014, 9:03 a.m. UTC | #2

On Thu, Aug 28, 2014 at 09:04:21AM +0100, Richard W.M. Jones wrote:
> diff --git a/block/curl.c b/block/curl.c
> index d4b85d2..f59615d 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -352,7 +352,7 @@ static void curl_multi_timeout_do(void *arg)
>  #endif
>  }
>  
> -static CURLState *curl_init_state(BDRVCURLState *s)
> +static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
>  {
>      CURLState *state = NULL;
>      int i, j;

Why add the BDRVCURLState *s argument...

> @@ -370,7 +370,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
>              break;
>          }
>          if (!state) {
> -            aio_poll(state->s->aio_context, true);
> +            aio_poll(bdrv_get_aio_context(bs), true);
>          }
>      } while(!state);
>  

...if it is not used?

Richard W.M. Jones Aug. 29, 2014, 9:19 a.m. UTC | #3

On Fri, Aug 29, 2014 at 10:03:59AM +0100, Stefan Hajnoczi wrote:
> On Thu, Aug 28, 2014 at 09:04:21AM +0100, Richard W.M. Jones wrote:
> > diff --git a/block/curl.c b/block/curl.c
> > index d4b85d2..f59615d 100644
> > --- a/block/curl.c
> > +++ b/block/curl.c
> > @@ -352,7 +352,7 @@ static void curl_multi_timeout_do(void *arg)
> >  #endif
> >  }
> >  
> > -static CURLState *curl_init_state(BDRVCURLState *s)
> > +static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
> >  {
> >      CURLState *state = NULL;
> >      int i, j;
> 
> Why add the BDRVCURLState *s argument...
> 
> > @@ -370,7 +370,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
> >              break;
> >          }
> >          if (!state) {
> > -            aio_poll(state->s->aio_context, true);
> > +            aio_poll(bdrv_get_aio_context(bs), true);
> >          }
> >      } while(!state);
> >  
> 
> ...if it is not used?

I may be misunderstanding this, but BDRVCURLState *s is used elsewhere
in the function.

However there is a potential to derive `BDRVCURLState *s = bs->opaque;'
if that's what you meant?

Rich.

Stefan Hajnoczi Aug. 29, 2014, 3:13 p.m. UTC | #4

On Fri, Aug 29, 2014 at 10:19:04AM +0100, Richard W.M. Jones wrote:
> On Fri, Aug 29, 2014 at 10:03:59AM +0100, Stefan Hajnoczi wrote:
> > On Thu, Aug 28, 2014 at 09:04:21AM +0100, Richard W.M. Jones wrote:
> > > diff --git a/block/curl.c b/block/curl.c
> > > index d4b85d2..f59615d 100644
> > > --- a/block/curl.c
> > > +++ b/block/curl.c
> > > @@ -352,7 +352,7 @@ static void curl_multi_timeout_do(void *arg)
> > >  #endif
> > >  }
> > >  
> > > -static CURLState *curl_init_state(BDRVCURLState *s)
> > > +static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
> > >  {
> > >      CURLState *state = NULL;
> > >      int i, j;
> > 
> > Why add the BDRVCURLState *s argument...
> > 
> > > @@ -370,7 +370,7 @@ static CURLState *curl_init_state(BDRVCURLState *s)
> > >              break;
> > >          }
> > >          if (!state) {
> > > -            aio_poll(state->s->aio_context, true);
> > > +            aio_poll(bdrv_get_aio_context(bs), true);
> > >          }
> > >      } while(!state);
> > >  
> > 
> > ...if it is not used?
> 
> I may be misunderstanding this, but BDRVCURLState *s is used elsewhere
> in the function.
> 
> However there is a potential to derive `BDRVCURLState *s = bs->opaque;'
> if that's what you meant?

Sorry, I misread the code.

I thought you added s but you really added bs.  That's fine and it makes
sense now :).

Stefan

diff --git a/block/curl.c b/block/curl.c
index d4b85d2..f59615d 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -352,7 +352,7 @@  static void curl_multi_timeout_do(void *arg)
 #endif
 }
 
-static CURLState *curl_init_state(BDRVCURLState *s)
+static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s)
 {
     CURLState *state = NULL;
     int i, j;
@@ -370,7 +370,7 @@  static CURLState *curl_init_state(BDRVCURLState *s)
             break;
         }
         if (!state) {
-            aio_poll(state->s->aio_context, true);
+            aio_poll(bdrv_get_aio_context(bs), true);
         }
     } while(!state);
 
@@ -541,7 +541,7 @@  static int curl_open(BlockDriverState *bs, QDict *options, int flags,
     DPRINTF("CURL: Opening %s\n", file);
     s->aio_context = bdrv_get_aio_context(bs);
     s->url = g_strdup(file);
-    state = curl_init_state(s);
+    state = curl_init_state(bs, s);
     if (!state)
         goto out_noclean;
 
@@ -625,7 +625,7 @@  static void curl_readv_bh_cb(void *p)
     }
 
     // No cache found, so let's start a new request
-    state = curl_init_state(s);
+    state = curl_init_state(acb->common.bs, s);
     if (!state) {
         acb->common.cb(acb->common.opaque, -EIO);
         qemu_aio_release(acb);

[v2] curl: Don't deref NULL pointer in call to aio_poll.

Commit Message

Comments

Patch