From: Bharata B Rao <bharata@linux.vnet.ibm.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Vijay Bellur <vbellur@redhat.com>,
Stefan Hajnoczi <stefanha@gmail.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
Asias He <asias@redhat.com>,
MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Subject: Re: [Qemu-devel] [PATCH] block: Fix race in gluster_finish_aiocb
Date: Fri, 23 Aug 2013 13:41:00 +0530 [thread overview]
Message-ID: <20130823081100.GH2755@in.ibm.com> (raw)
In-Reply-To: <52171041.9030805@redhat.com>
On Fri, Aug 23, 2013 at 09:33:21AM +0200, Paolo Bonzini wrote:
> > (gdb) p *bh
> > $1 = {ctx = 0x0, cb = 0x5555555ffdcd <qemu_gluster_aio_bh>, opaque =
> > 0x7fffd00419c0, next = 0x555556345e70, scheduled = false, idle = false,
> > deleted = true}
>
> This looks like a use-after-free, with bh->ctx corrupted when freeing
> the bottom half. But it's not at all obvious how it can happen.
>
> I suggest using MALLOC_PERTURB_=42 to check this theory (if it is
> correct, most fields will be something like 0x2a2a2a2a2a2a2a2a). But I
> don't see anything clearly wrong in the patch... Thus perhaps it is
> simpler to just remove the unreachable error handling code.
(gdb) p *bh
$1 = {ctx = 0x0, cb = 0x2a2a2a2a2a2a2a2a, opaque = 0x2a2a2a2a2a2a2a2a, next =
0x2a2a2a2a2a2a2a2a, scheduled = false, idle = false, deleted = true}
May be as note above, I should just remove the unreachable error handling
code for now.
Regards,
Bharata.
prev parent reply other threads:[~2013-08-23 8:11 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-21 2:02 [Qemu-devel] [PATCH] block: Fix race in gluster_finish_aiocb Asias He
2013-08-21 8:16 ` Paolo Bonzini
2013-08-22 9:50 ` Asias He
2013-08-22 9:51 ` Paolo Bonzini
2013-08-23 8:32 ` Asias He
2013-08-23 9:05 ` Paolo Bonzini
2013-08-21 15:24 ` Stefan Hajnoczi
2013-08-21 15:40 ` Paolo Bonzini
2013-08-22 5:59 ` Bharata B Rao
2013-08-22 7:48 ` Stefan Hajnoczi
2013-08-22 9:06 ` Paolo Bonzini
2013-08-22 9:55 ` Bharata B Rao
2013-08-22 10:00 ` Paolo Bonzini
2013-08-22 10:28 ` Bharata B Rao
2013-08-22 11:15 ` Paolo Bonzini
2013-08-22 13:25 ` Bharata B Rao
2013-08-22 13:27 ` Paolo Bonzini
2013-08-22 14:01 ` Bharata B Rao
2013-08-22 14:52 ` Paolo Bonzini
2013-08-23 6:48 ` Bharata B Rao
2013-08-23 7:33 ` Paolo Bonzini
2013-08-23 8:11 ` Bharata B Rao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130823081100.GH2755@in.ibm.com \
--to=bharata@linux.vnet.ibm.com \
--cc=asias@redhat.com \
--cc=kwolf@redhat.com \
--cc=morita.kazutaka@lab.ntt.co.jp \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
--cc=vbellur@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.