Both blockdev.c and job-qmp.c have TOC/TOU conditions, because they first search for the job and then perform an action on it. Therefore, we need to do the search + action under the same job mutex critical section.
Note: at this stage, job_{lock/unlock} and job lock guard macros are *nop*. Signed-off-by: Emanuele Giuseppe Esposito <eespo...@redhat.com> --- blockdev.c | 46 +++++++++++++++++++++++++++++++++++----------- job-qmp.c | 37 +++++++++++++++++++++++++++++-------- 2 files changed, 64 insertions(+), 19 deletions(-) diff --git a/blockdev.c b/blockdev.c index b1099e678c..6f83783f10 100644 --- a/blockdev.c +++ b/blockdev.c @@ -3311,9 +3311,13 @@ out: aio_context_release(aio_context); } -/* Get a block job using its ID and acquire its AioContext */ -static BlockJob *find_block_job(const char *id, AioContext **aio_context, - Error **errp) +/* + * Get a block job using its ID and acquire its AioContext. + * Called with job_mutex held. + */ +static BlockJob *find_block_job_locked(const char *id, + AioContext **aio_context, + Error **errp) { BlockJob *job; @@ -3322,7 +3326,6 @@ static BlockJob *find_block_job(const char *id, AioContext **aio_context, *aio_context = NULL; job = block_job_get(id); - if (!job) { error_set(errp, ERROR_CLASS_DEVICE_NOT_ACTIVE, "Block job '%s' not found", id); @@ -3338,7 +3341,10 @@ static BlockJob *find_block_job(const char *id, AioContext **aio_context, void qmp_block_job_set_speed(const char *device, int64_t speed, Error **errp) { AioContext *aio_context; - BlockJob *job = find_block_job(device, &aio_context, errp); + BlockJob *job; + + JOB_LOCK_GUARD(); + job = find_block_job_locked(device, &aio_context, errp); if (!job) { return; @@ -3352,7 +3358,10 @@ void qmp_block_job_cancel(const char *device, bool has_force, bool force, Error **errp) { AioContext *aio_context; - BlockJob *job = find_block_job(device, &aio_context, errp); + BlockJob *job; + + JOB_LOCK_GUARD(); + job = find_block_job_locked(device, &aio_context, errp); if (!job) { return; @@ -3377,7 +3386,10 @@ out: void qmp_block_job_pause(const char *device, Error **errp) { AioContext *aio_context; - BlockJob *job = find_block_job(device, &aio_context, errp); + BlockJob *job; + + JOB_LOCK_GUARD(); + job = find_block_job_locked(device, &aio_context, errp); if (!job) { return; @@ -3391,7 +3403,10 @@ void qmp_block_job_pause(const char *device, Error **errp) void qmp_block_job_resume(const char *device, Error **errp) { AioContext *aio_context; - BlockJob *job = find_block_job(device, &aio_context, errp); + BlockJob *job; + + JOB_LOCK_GUARD(); + job = find_block_job_locked(device, &aio_context, errp); if (!job) { return; @@ -3405,7 +3420,10 @@ void qmp_block_job_resume(const char *device, Error **errp) void qmp_block_job_complete(const char *device, Error **errp) { AioContext *aio_context; - BlockJob *job = find_block_job(device, &aio_context, errp); + BlockJob *job; + + JOB_LOCK_GUARD(); + job = find_block_job_locked(device, &aio_context, errp); if (!job) { return; @@ -3419,7 +3437,10 @@ void qmp_block_job_complete(const char *device, Error **errp) void qmp_block_job_finalize(const char *id, Error **errp) { AioContext *aio_context; - BlockJob *job = find_block_job(id, &aio_context, errp); + BlockJob *job; + + JOB_LOCK_GUARD(); + job = find_block_job_locked(id, &aio_context, errp); if (!job) { return; @@ -3442,9 +3463,12 @@ void qmp_block_job_finalize(const char *id, Error **errp) void qmp_block_job_dismiss(const char *id, Error **errp) { AioContext *aio_context; - BlockJob *bjob = find_block_job(id, &aio_context, errp); + BlockJob *bjob; Job *job; + JOB_LOCK_GUARD(); + bjob = find_block_job_locked(id, &aio_context, errp); + if (!bjob) { return; } diff --git a/job-qmp.c b/job-qmp.c index 270df1eb7e..58ca9b6632 100644 --- a/job-qmp.c +++ b/job-qmp.c @@ -29,8 +29,11 @@ #include "qapi/error.h" #include "trace/trace-root.h" -/* Get a job using its ID and acquire its AioContext */ -static Job *find_job(const char *id, AioContext **aio_context, Error **errp) +/* + * Get a block job using its ID and acquire its AioContext. + * Called with job_mutex held. + */ +static Job *find_job_locked(const char *id, AioContext **aio_context, Error **errp) { Job *job; @@ -51,7 +54,10 @@ static Job *find_job(const char *id, AioContext **aio_context, Error **errp) void qmp_job_cancel(const char *id, Error **errp) { AioContext *aio_context; - Job *job = find_job(id, &aio_context, errp); + Job *job; + + JOB_LOCK_GUARD(); + job = find_job_locked(id, &aio_context, errp); if (!job) { return; @@ -65,7 +71,10 @@ void qmp_job_cancel(const char *id, Error **errp) void qmp_job_pause(const char *id, Error **errp) { AioContext *aio_context; - Job *job = find_job(id, &aio_context, errp); + Job *job; + + JOB_LOCK_GUARD(); + job = find_job_locked(id, &aio_context, errp); if (!job) { return; @@ -79,7 +88,10 @@ void qmp_job_pause(const char *id, Error **errp) void qmp_job_resume(const char *id, Error **errp) { AioContext *aio_context; - Job *job = find_job(id, &aio_context, errp); + Job *job; + + JOB_LOCK_GUARD(); + job = find_job_locked(id, &aio_context, errp); if (!job) { return; @@ -93,7 +105,10 @@ void qmp_job_resume(const char *id, Error **errp) void qmp_job_complete(const char *id, Error **errp) { AioContext *aio_context; - Job *job = find_job(id, &aio_context, errp); + Job *job; + + JOB_LOCK_GUARD(); + job = find_job_locked(id, &aio_context, errp); if (!job) { return; @@ -107,7 +122,10 @@ void qmp_job_complete(const char *id, Error **errp) void qmp_job_finalize(const char *id, Error **errp) { AioContext *aio_context; - Job *job = find_job(id, &aio_context, errp); + Job *job; + + JOB_LOCK_GUARD(); + job = find_job_locked(id, &aio_context, errp); if (!job) { return; @@ -130,7 +148,10 @@ void qmp_job_finalize(const char *id, Error **errp) void qmp_job_dismiss(const char *id, Error **errp) { AioContext *aio_context; - Job *job = find_job(id, &aio_context, errp); + Job *job; + + JOB_LOCK_GUARD(); + job = find_job_locked(id, &aio_context, errp); if (!job) { return; -- 2.31.1