From: Kevin Wolf <kwolf@redhat.com>
To: Bin Wu <wu.wubin@huawei.com>
Cc: famz@redhat.com, boby.chen@huawei.com, subo7@huawei.com,
kathy.wangting@huawei.com, rudy.zhangmin@huawei.com,
qemu-devel@nongnu.org, arei.gonglei@huawei.com,
stefanha@redhat.com, pbonzini@redhat.com, bruce.fon@huawei.com
Subject: Re: [Qemu-devel] [PATCH v2] qemu-coroutine: segfault when restarting co_queue
Date: Mon, 9 Feb 2015 10:42:52 +0100 [thread overview]
Message-ID: <20150209094252.GA3963@noname.str.redhat.com> (raw)
In-Reply-To: <1423464639-4764-1-git-send-email-wu.wubin@huawei.com>
Am 09.02.2015 um 07:50 hat Bin Wu geschrieben:
> From: Bin Wu <wu.wubin@huawei.com>
>
> We tested VMs migration with their disk images by drive_mirror. With
> migration, two VMs copyed large files between each other. During the
> test, a segfault occured. The stack was as follow:
>
> (gdb) bt
> qemu-coroutine-lock.c:66
> to=0x7fa5a1798648) at qemu-coroutine.c:97
> request=0x7fa28c2ffa10, reply=0x7fa28c2ffa30, qiov=0x0, offset=0) at
> block/nbd-client.c:165
> sector_num=8552704, nb_sectors=2040, qiov=0x7fa5a1757468, offset=0) at
> block/nbd-client.c:262
> sector_num=8552704, nb_sectors=2048, qiov=0x7fa5a1757468) at
> block/nbd-client.c:296
> nb_sectors=2048, qiov=0x7fa5a1757468) at block/nbd.c:291
> req=0x7fa28c2ffbb0, offset=4378984448, bytes=1048576, qiov=0x7fa5a1757468,
> flags=0) at block.c:3321
> offset=4378984448, bytes=1048576, qiov=0x7fa5a1757468, flags=(unknown: 0)) at
> block.c:3447
> sector_num=8552704, nb_sectors=2048, qiov=0x7fa5a1757468, flags=(unknown: 0)) at
> block.c:3471
> nb_sectors=2048, qiov=0x7fa5a1757468) at block.c:3480
> nb_sectors=2048, qiov=0x7fa5a1757468) at block/raw_bsd.c:62
> req=0x7fa28c2ffe30, offset=4378984448, bytes=1048576, qiov=0x7fa5a1757468,
> flags=0) at block.c:3321
> offset=4378984448, bytes=1048576, qiov=0x7fa5a1757468, flags=(unknown: 0)) at
> block.c:3447
> sector_num=8552704, nb_sectors=2048, qiov=0x7fa5a1757468, flags=(unknown: 0)) at
> block.c:3471
> coroutine-ucontext.c:121
>
> After analyzing the stack and reviewing the code, we find the
> qemu_co_queue_run_restart should not be put in the coroutine_swap function which
> can be invoked by qemu_coroutine_enter or qemu_coroutine_yield. Only
> qemu_coroutine_enter needs to restart the co_queue.
>
> The error scenario is as follow: coroutine C1 enters C2, C2 yields
> back to C1, then C1 ternimates and the related coroutine memory
> becomes invalid. After a while, the C2 coroutine is entered again.
> At this point, C1 is used as a parameter passed to
> qemu_co_queue_run_restart. Therefore, qemu_co_queue_run_restart
> accesses an invalid memory and a segfault error ocurrs.
Why would C1 be used for the qemu_co_queue_run_restart() call? There is
only one caller, coroutine_swap(). It calls the function for the
coroutine that has just yielded or terminated. In the case of
termination, the coroutine is deleted only afterwards, in the switch
block in coroutine_swap().
> The qemu_co_queue_run_restart function re-enters coroutines waiting
> in the co_queue. However, this function should be only used int the
> qemu_coroutine_enter context.
It shouldn't make a difference. Any coroutine waiting in a CoQueue
should be ready to be restarted at either point.
Kevin
next prev parent reply other threads:[~2015-02-09 10:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-09 6:50 [Qemu-devel] [PATCH v2] qemu-coroutine: segfault when restarting co_queue Bin Wu
2015-02-09 9:09 ` Paolo Bonzini
2015-02-10 0:55 ` Bin Wu
2015-02-09 9:42 ` Kevin Wolf [this message]
2015-02-09 14:48 ` Stefan Hajnoczi
2015-02-10 0:51 ` Bin Wu
2015-02-10 3:16 ` Wen Congyang
2015-02-10 3:48 ` Bin Wu
2015-02-10 4:49 ` Wen Congyang
2015-02-10 10:13 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150209094252.GA3963@noname.str.redhat.com \
--to=kwolf@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=boby.chen@huawei.com \
--cc=bruce.fon@huawei.com \
--cc=famz@redhat.com \
--cc=kathy.wangting@huawei.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rudy.zhangmin@huawei.com \
--cc=stefanha@redhat.com \
--cc=subo7@huawei.com \
--cc=wu.wubin@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.