Am 29.10.2025 um 14:27 hat Wesley Hershberger geschrieben: > Detaching filters using detach_subchain=true can cause segfaults as > described in #3149. > > More specifically, this was observed when executing concurrent > block-stream and query-named-block-nodes. block-stream adds a > copy-on-read filter as the main BDS for the blockjob; that filter was > dropped with detach_subchain=true but not unref'd until the the blockjob > was free'd. Because query-named-block-nodes assumes that a filter will > always have exactly one child, it caused a segfault when it observed the > detached filter. Stacktrace: > > 0 bdrv_refresh_filename (bs=0x5efed72f8350) > at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/block.c:8082 > 1 0x00005efea73cf9dc in bdrv_block_device_info > (blk=0x0, bs=0x5efed72f8350, flat=true, errp=0x7ffeb829ebd8) > at block/qapi.c:62 > 2 0x00005efea7391ed3 in bdrv_named_nodes_list > (flat=<optimized out>, errp=0x7ffeb829ebd8) > at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/block.c:6275 > 3 0x00005efea7471993 in qmp_query_named_block_nodes > (has_flat=<optimized out>, flat=<optimized out>, errp=0x7ffeb829ebd8) > at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/blockdev.c:2834 > 4 qmp_marshal_query_named_block_nodes > (args=<optimized out>, ret=0x7f2b753beec0, errp=0x7f2b753beec8) > at qapi/qapi-commands-block-core.c:553 > 5 0x00005efea74f03a5 in do_qmp_dispatch_bh (opaque=0x7f2b753beed0) > at qapi/qmp-dispatch.c:128 > 6 0x00005efea75108e6 in aio_bh_poll (ctx=0x5efed6f3f430) > at util/async.c:219 > 7 0x00005efea74ffdb2 in aio_dispatch (ctx=0x5efed6f3f430) > at util/aio-posix.c:436 > 8 0x00005efea7512846 in aio_ctx_dispatch (source=<optimized out>, > callback=<optimized out>,user_data=<optimized out>) > at util/async.c:361 > 9 0x00007f2b77809bfb in ?? () > from /lib/x86_64-linux-gnu/libglib-2.0.so.0 > 10 0x00007f2b77809e70 in g_main_context_dispatch () > from /lib/x86_64-linux-gnu/libglib-2.0.so.0 > 11 0x00005efea7517228 in glib_pollfds_poll () at util/main-loop.c:287 > 12 os_host_main_loop_wait (timeout=0) at util/main-loop.c:310 > 13 main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:589 > 14 0x00005efea7140482 in qemu_main_loop () at system/runstate.c:905 > 15 0x00005efea744e4e8 in qemu_default_main (opaque=opaque@entry=0x0) > at system/main.c:50 > 16 0x00005efea6e76319 in main > (argc=<optimized out>, argv=<optimized out>) > at system/main.c:93 > > As discussed in [email protected], > a filter should not exist without children in the first place; therefore, > drop the parameter entirely as it is only used for filters. > > This is a partial revert of 3108a15cf09865456d499b08fe14e3dbec4ccbb3. > > After this change, a blockdev-backup job's copy-before-write filter will > hold references to its children until the filter is unref'd. This causes > an additional flush during bdrv_close, so also update iotest 257. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3149 > Suggested-by: Kevin Wolf <[email protected]> > Signed-off-by: Wesley Hershberger <[email protected]> > Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]>
Thanks, applied to the block branch. Kevin
