Both blockdev.c and job-qmp.c have TOC/TOU conditions, because they first search for the job and then perform an action on it. Therefore, we need to do the search + action under the same job mutex critical section.
Note: at this stage, job_{lock/unlock} and job lock guard macros are *nop*. Signed-off-by: Emanuele Giuseppe Esposito <eespo...@redhat.com> --- blockdev.c | 14 +++++++++++++- job-qmp.c | 13 ++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/blockdev.c b/blockdev.c index 099d57e0d2..1fbd9b9e04 100644 --- a/blockdev.c +++ b/blockdev.c @@ -3305,7 +3305,10 @@ out: aio_context_release(aio_context); } -/* Get a block job using its ID and acquire its AioContext */ +/* + * Get a block job using its ID and acquire its AioContext. + * Returns with job_lock held on success. + */ static BlockJob *find_block_job(const char *id, AioContext **aio_context, Error **errp) { @@ -3314,12 +3317,14 @@ static BlockJob *find_block_job(const char *id, AioContext **aio_context, assert(id != NULL); *aio_context = NULL; + job_lock(); job = block_job_get(id); if (!job) { error_set(errp, ERROR_CLASS_DEVICE_NOT_ACTIVE, "Block job '%s' not found", id); + job_unlock(); return NULL; } @@ -3340,6 +3345,7 @@ void qmp_block_job_set_speed(const char *device, int64_t speed, Error **errp) block_job_set_speed(job, speed, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_block_job_cancel(const char *device, @@ -3366,6 +3372,7 @@ void qmp_block_job_cancel(const char *device, job_user_cancel_locked(&job->job, force, errp); out: aio_context_release(aio_context); + job_unlock(); } void qmp_block_job_pause(const char *device, Error **errp) @@ -3380,6 +3387,7 @@ void qmp_block_job_pause(const char *device, Error **errp) trace_qmp_block_job_pause(job); job_user_pause_locked(&job->job, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_block_job_resume(const char *device, Error **errp) @@ -3394,6 +3402,7 @@ void qmp_block_job_resume(const char *device, Error **errp) trace_qmp_block_job_resume(job); job_user_resume_locked(&job->job, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_block_job_complete(const char *device, Error **errp) @@ -3408,6 +3417,7 @@ void qmp_block_job_complete(const char *device, Error **errp) trace_qmp_block_job_complete(job); job_complete_locked(&job->job, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_block_job_finalize(const char *id, Error **errp) @@ -3431,6 +3441,7 @@ void qmp_block_job_finalize(const char *id, Error **errp) aio_context = blk_get_aio_context(job->blk); job_unref_locked(&job->job); aio_context_release(aio_context); + job_unlock(); } void qmp_block_job_dismiss(const char *id, Error **errp) @@ -3447,6 +3458,7 @@ void qmp_block_job_dismiss(const char *id, Error **errp) job = &bjob->job; job_dismiss_locked(&job, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_change_backing_file(const char *device, diff --git a/job-qmp.c b/job-qmp.c index 9fa14bf761..615e056fc4 100644 --- a/job-qmp.c +++ b/job-qmp.c @@ -29,16 +29,21 @@ #include "qapi/error.h" #include "trace/trace-root.h" -/* Get a job using its ID and acquire its AioContext */ +/* + * Get a block job using its ID and acquire its AioContext. + * Returns with job_lock held on success. + */ static Job *find_job(const char *id, AioContext **aio_context, Error **errp) { Job *job; *aio_context = NULL; + job_lock(); job = job_get_locked(id); if (!job) { error_setg(errp, "Job not found"); + job_unlock(); return NULL; } @@ -60,6 +65,7 @@ void qmp_job_cancel(const char *id, Error **errp) trace_qmp_job_cancel(job); job_user_cancel_locked(job, true, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_job_pause(const char *id, Error **errp) @@ -74,6 +80,7 @@ void qmp_job_pause(const char *id, Error **errp) trace_qmp_job_pause(job); job_user_pause_locked(job, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_job_resume(const char *id, Error **errp) @@ -88,6 +95,7 @@ void qmp_job_resume(const char *id, Error **errp) trace_qmp_job_resume(job); job_user_resume_locked(job, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_job_complete(const char *id, Error **errp) @@ -102,6 +110,7 @@ void qmp_job_complete(const char *id, Error **errp) trace_qmp_job_complete(job); job_complete_locked(job, errp); aio_context_release(aio_context); + job_unlock(); } void qmp_job_finalize(const char *id, Error **errp) @@ -125,6 +134,7 @@ void qmp_job_finalize(const char *id, Error **errp) aio_context = job->aio_context; job_unref_locked(job); aio_context_release(aio_context); + job_unlock(); } void qmp_job_dismiss(const char *id, Error **errp) @@ -139,6 +149,7 @@ void qmp_job_dismiss(const char *id, Error **errp) trace_qmp_job_dismiss(job); job_dismiss_locked(&job, errp); aio_context_release(aio_context); + job_unlock(); } static JobInfo *job_query_single(Job *job, Error **errp) -- 2.31.1