Re: [PATCH 3/3] iotests/283: Check that finalize drops backup-top

From: Max Reitz
Subject: Re: [PATCH 3/3] iotests/283: Check that finalize drops backup-top
Date: Fri, 19 Feb 2021 16:59:02 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0

On 19.02.21 16:33, Max Reitz wrote:
Without any of HEAD^ or HEAD^^ applied, qemu will most likely crash on
the qemu-io invocation, for a variety of immediate reasons.  The
underlying problem is generally a use-after-free access into
backup-top's BlockCopyState.

With only HEAD^ applied, qemu-io will run into an EIO (which is not
capture by the output, but you can see that the qemu-io invocation will
be accepted (i.e., qemu-io will run) in contrast to the reference
output, where the node name cannot be found), and qemu will then crash
in query-named-block-nodes: bdrv_get_allocated_file_size() detects
backup-top to be a filter and passes the request through to its child.
However, after bdrv_backup_top_drop(), that child is NULL, so the
recursive call crashes.

With HEAD^^ applied, this test should pass.

Signed-off-by: Max Reitz <mreitz@redhat.com>
  tests/qemu-iotests/283     | 55 ++++++++++++++++++++++++++++++++++++++
  tests/qemu-iotests/283.out | 15 +++++++++++
  2 files changed, 70 insertions(+)

diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283
index 79643e375b..509dcbbcf4 100755
--- a/tests/qemu-iotests/283
+++ b/tests/qemu-iotests/283
@@ -97,3 +97,58 @@ vm.qmp_log('blockdev-add', **{
  vm.qmp_log('blockdev-backup', sync='full', device='source', target='target')
+Check that the backup-top node is gone after job-finalize.
+During finalization, the node becomes inactive and can no longer
+function.  If it is still present, new parents might be attached, and
+there would be no meaningful way to handle their I/O requests.

Oh no, 297/pylint complains that this “string statement has no effect”. Guess it should be a normal comment under the following print() then...


+print('\n=== backup-top should be gone after job-finalize ===\n')

