Re: [Qemu-devel] [PATCH for-2.9-rc5 v4 1/2] block: Walk bs->children carefully in bdrv_drain_recurse

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kevin Wolf <kwolf@redhat.com>
To: Fam Zheng <famz@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org,
	Max Reitz <mreitz@redhat.com>,
	pbonzini@redhat.com, Stefan Hajnoczi <stefanha@redhat.com>,
	jcody@redhat.com
Subject: Re: [Qemu-devel] [PATCH for-2.9-rc5 v4 1/2] block: Walk bs->children carefully in bdrv_drain_recurse
Date: Tue, 18 Apr 2017 16:46:47 +0200	[thread overview]
Message-ID: <20170418144647.GD9236@noname.redhat.com> (raw)
In-Reply-To: <20170418143044.12187-2-famz@redhat.com>

Am 18.04.2017 um 16:30 hat Fam Zheng geschrieben:
> The recursive bdrv_drain_recurse may run a block job completion BH that
> drops nodes. The coming changes will make that more likely and use-after-free
> would happen without this patch
> 
> Stash the bs pointer and use bdrv_ref/bdrv_unref in addition to
> QLIST_FOREACH_SAFE to prevent such a case from happening.
> 
> Since bdrv_unref accesses global state that is not protected by the AioContext
> lock, we cannot use bdrv_ref/bdrv_unref unconditionally.  Fortunately the
> protection is not needed in IOThread because only main loop can modify a graph
> with the AioContext lock held.
> 
> Signed-off-by: Fam Zheng <famz@redhat.com>
> ---
>  block/io.c | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
> 
> diff --git a/block/io.c b/block/io.c
> index 8706bfa..a0df8c4 100644
> --- a/block/io.c
> +++ b/block/io.c
> @@ -158,7 +158,7 @@ bool bdrv_requests_pending(BlockDriverState *bs)
>  
>  static bool bdrv_drain_recurse(BlockDriverState *bs)
>  {
> -    BdrvChild *child;
> +    BdrvChild *child, *tmp;
>      bool waited;
>  
>      waited = BDRV_POLL_WHILE(bs, atomic_read(&bs->in_flight) > 0);
> @@ -167,8 +167,25 @@ static bool bdrv_drain_recurse(BlockDriverState *bs)
>          bs->drv->bdrv_drain(bs);
>      }
>  
> -    QLIST_FOREACH(child, &bs->children, next) {
> -        waited |= bdrv_drain_recurse(child->bs);
> +    QLIST_FOREACH_SAFE(child, &bs->children, next, tmp) {
> +        BlockDriverState *bs = child->bs;
> +        bool in_main_loop =
> +            qemu_get_current_aio_context() == qemu_get_aio_context();
> +        assert(bs->refcnt > 0);
> +        if (in_main_loop) {
> +            /* In case the resursive bdrv_drain_recurse processes a

s/resursive/recursive/

> +             * block_job_defer_to_main_loop BH and modifies the graph,
> +             * let's hold a reference to bs until we are done.
> +             *
> +             * IOThread doesn't have such a BH, and it is not safe to call
> +             * bdrv_unref without BQL, so skip doing it there.
> +             **/

And **/ is unusual, too.

> +            bdrv_ref(bs);
> +        }
> +        waited |= bdrv_drain_recurse(bs);
> +        if (in_main_loop) {
> +            bdrv_unref(bs);
> +        }
>      }

Other than this, the series looks good to me.

Kevin

next prev parent reply	other threads:[~2017-04-18 14:47 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-18 14:30 [Qemu-devel] [PATCH for-2.9-rc5 v4 0/2] block: Drain BH in bdrv_drained_begin Fam Zheng
2017-04-18 14:30 ` [Qemu-devel] [PATCH for-2.9-rc5 v4 1/2] block: Walk bs->children carefully in bdrv_drain_recurse Fam Zheng
2017-04-18 14:46   ` Kevin Wolf [this message]
2017-04-18 14:54     ` Fam Zheng
2017-04-18 14:30 ` [Qemu-devel] [PATCH for-2.9-rc5 v4 2/2] block: Drain BH in bdrv_drained_begin Fam Zheng
2018-02-06 15:32   ` Kevin Wolf
2018-02-07  1:48     ` Fam Zheng
2018-02-07 10:51       ` Kevin Wolf
2018-02-07 12:39         ` Fam Zheng
2018-02-07 13:10           ` Kevin Wolf
2018-02-07 14:14             ` Fam Zheng
2017-04-18 14:42 ` [Qemu-devel] [PATCH for-2.9-rc5 v4 0/2] " Paolo Bonzini
2017-04-18 14:51 ` Jeff Cody

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170418144647.GD9236@noname.redhat.com \
    --to=kwolf@redhat.com \
    --cc=famz@redhat.com \
    --cc=jcody@redhat.com \
    --cc=mreitz@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.