From: Fam Zheng <famz@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
lvivier@redhat.com, qemu-block@nongnu.org, pl@kamp.de,
qemu-devel@nongnu.org, qemu-stable@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>,
dgibson@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3] virtio-blk: Fix double completion for werror=stop
Date: Mon, 23 Nov 2015 08:39:59 +0800 [thread overview]
Message-ID: <20151123003959.GC7463@ad.usersys.redhat.com> (raw)
In-Reply-To: <56521A53.8030604@redhat.com>
On Sun, 11/22 20:41, Paolo Bonzini wrote:
> > diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> > index e70fccf..848f3fe 100644
> > --- a/hw/block/virtio-blk.c
> > +++ b/hw/block/virtio-blk.c
> > @@ -112,6 +112,10 @@ static void virtio_blk_rw_complete(void *opaque, int ret)
> > * happen on the other side of the migration).
> > */
> > if (virtio_blk_handle_rw_error(req, -ret, is_read)) {
> > + /* Break the link in case the next request is added to the
> > + * restart queue and is going to be parsed from the ring again.
> > + */
> > + req->mr_next = NULL;
> > continue;
> > }
> > }
> >
>
> This is now a write-after-free for rerror/werror=stop. The right place
> to set req->mr_next is inside virtio_blk_handle_rw_error, I think.
>
Oh yes :( Sending another patch.
Fam
prev parent reply other threads:[~2015-11-23 0:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-17 10:20 [Qemu-devel] [PATCH v3] virtio-blk: Fix double completion for werror=stop Fam Zheng
2015-11-17 10:34 ` Stefan Hajnoczi
2015-11-17 15:21 ` Laurent Vivier
2015-11-22 19:41 ` Paolo Bonzini
2015-11-23 0:39 ` Fam Zheng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151123003959.GC7463@ad.usersys.redhat.com \
--to=famz@redhat.com \
--cc=dgibson@redhat.com \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pl@kamp.de \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.