From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>
Cc: Laurent Vivier <lvivier@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Thomas Huth <thuth@redhat.com>,
qemu-devel <qemu-devel@nongnu.org>,
Yongji Xie <elohimes@gmail.com>
Subject: Re: [Qemu-devel] [PATCH v2 01/16] io: store reference to thread information in the QIOTask struct
Date: Mon, 4 Feb 2019 13:56:08 +0000 [thread overview]
Message-ID: <20190204135608.GN1905@redhat.com> (raw)
In-Reply-To: <CAJ+F1C+pYc9_M0PBNXFd9SSHoOu_4nV4jKCYB+YqgJ1Jom0r_Q@mail.gmail.com>
On Mon, Feb 04, 2019 at 11:40:55AM +0100, Marc-André Lureau wrote:
> Hi
> On Mon, Feb 4, 2019 at 11:38 AM Marc-André Lureau
> <marcandre.lureau@redhat.com> wrote:
> >
> > On Wed, Jan 23, 2019 at 6:27 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > >
> > > Currently the struct QIOTaskThreadData is only needed by the worker
> > > thread, but a subsequent patch will need to access it from another
> > > context.
> > >
> > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> >
> > Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>
> nack:
>
>
> $ tests/test-char
> /char/null: OK
> /char/invalid: OK
> /char/ringbuf: OK
> /char/mux: OK
> /char/stdio: OK
> /char/pipe: OK
> /char/file: OK
> /char/file-fifo: OK
> /char/udp: OK
> /char/serial: OK
> /char/hotswap: OK
> /char/websocket: OK
> /char/socket/basic: OK
> /char/socket/reconnect:
> =================================================================
> ==22150==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x606000004198 at pc 0x5618a22be8d3 bp 0x7fffa43d8a80 sp
> 0x7fffa43d8a70
> READ of size 8 at 0x606000004198 thread T0
> #0 0x5618a22be8d2 in qio_task_thread_result
> /home/elmarco/src/qemu/io/task.c:91
> #1 0x7f111f08397a (/lib64/libglib-2.0.so.0+0x4b97a)
> #2 0x7f111f08706c in g_main_context_dispatch
> (/lib64/libglib-2.0.so.0+0x4f06c)
> #3 0x5618a23969b7 in glib_pollfds_poll
> /home/elmarco/src/qemu/util/main-loop.c:215
> #4 0x5618a23969b7 in os_host_main_loop_wait
> /home/elmarco/src/qemu/util/main-loop.c:238
> #5 0x5618a23969b7 in main_loop_wait
> /home/elmarco/src/qemu/util/main-loop.c:497
> #6 0x5618a2299786 in main_loop /home/elmarco/src/qemu/tests/test-char.c:27
> #7 0x5618a229b651 in char_socket_test_common
> /home/elmarco/src/qemu/tests/test-char.c:355
> #8 0x7f111f0aefc9 (/lib64/libglib-2.0.so.0+0x76fc9)
> #9 0x7f111f0aee83 (/lib64/libglib-2.0.so.0+0x76e83)
> #10 0x7f111f0aee83 (/lib64/libglib-2.0.so.0+0x76e83)
> #11 0x7f111f0af281 in g_test_run_suite (/lib64/libglib-2.0.so.0+0x77281)
> #12 0x7f111f0af2a4 in g_test_run (/lib64/libglib-2.0.so.0+0x772a4)
> #13 0x5618a2293859 in main /home/elmarco/src/qemu/tests/test-char.c:971
> #14 0x7f111de11412 in __libc_start_main (/lib64/libc.so.6+0x24412)
> #15 0x5618a2295c1d in _start
> (/home/elmarco/src/qemu/build/tests/test-char+0x23ac1d)
>
> 0x606000004198 is located 56 bytes inside of 64-byte region
> [0x606000004160,0x6060000041a0)
> freed by thread T0 here:
> #0 0x7f111f2f0480 in free (/lib64/libasan.so.5+0xef480)
> #1 0x7f111f08ced1 in g_free (/lib64/libglib-2.0.so.0+0x54ed1)
> #2 0x5618a243759f (/home/elmarco/src/qemu/build/tests/test-char+0x3dc59f)
>
> previously allocated by thread T0 here:
> #0 0x7f111f2f0a50 in __interceptor_calloc (/lib64/libasan.so.5+0xefa50)
> #1 0x7f111f08ce1d in g_malloc0 (/lib64/libglib-2.0.so.0+0x54e1d)
>
> SUMMARY: AddressSanitizer: heap-use-after-free
> /home/elmarco/src/qemu/io/task.c:91 in qio_task_thread_result
> Shadow bytes around the buggy address:
FWIW, valgrind reports the same problem
Needs this change squashed in to fix it
diff --git a/io/task.c b/io/task.c
index d100a754d3..396866b10f 100644
--- a/io/task.c
+++ b/io/task.c
@@ -66,6 +66,18 @@ QIOTask *qio_task_new(Object *source,
static void qio_task_free(QIOTask *task)
{
+ if (task->thread) {
+ if (task->thread->destroy) {
+ task->thread->destroy(task->thread->opaque);
+ }
+
+ if (task->thread->context) {
+ g_main_context_unref(task->thread->context);
+ }
+
+ g_free(task->thread);
+ }
+
if (task->destroy) {
task->destroy(task->opaque);
}
@@ -88,17 +100,6 @@ static gboolean qio_task_thread_result(gpointer opaque)
trace_qio_task_thread_result(task);
qio_task_complete(task);
- if (task->thread->destroy) {
- task->thread->destroy(task->thread->opaque);
- }
-
- if (task->thread->context) {
- g_main_context_unref(task->thread->context);
- }
-
- g_free(task->thread);
- task->thread = NULL;
-
return FALSE;
}
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-02-04 13:56 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-23 17:27 [Qemu-devel] [PATCH v2 00/16] chardev: refactoring & many bugfixes related tcp_chr_wait_connected Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 01/16] io: store reference to thread information in the QIOTask struct Daniel P. Berrangé
2019-02-04 10:37 ` Marc-André Lureau
2019-02-04 10:40 ` Marc-André Lureau
2019-02-04 13:56 ` Daniel P. Berrangé [this message]
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 02/16] io: add qio_task_wait_thread to join with a background thread Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 03/16] chardev: fix validation of options for QMP created chardevs Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 04/16] chardev: forbid 'reconnect' option with server sockets Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 05/16] chardev: forbid 'wait' option with client sockets Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 06/16] chardev: remove many local variables in qemu_chr_parse_socket Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 07/16] chardev: ensure qemu_chr_parse_compat reports missing driver error Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 08/16] chardev: remove unused 'sioc' variable & cleanup paths Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 09/16] chardev: split tcp_chr_wait_connected into two methods Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 10/16] chardev: split up qmp_chardev_open_socket connection code Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 11/16] chardev: use a state machine for socket connection state Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 12/16] chardev: honour the reconnect setting in tcp_chr_wait_connected Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 13/16] chardev: disallow TLS/telnet/websocket with tcp_chr_wait_connected Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 14/16] chardev: fix race with client connections in tcp_chr_wait_connected Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 15/16] tests: expand coverage of socket chardev test Daniel P. Berrangé
2019-01-23 17:27 ` [Qemu-devel] [PATCH v2 16/16] chardev: ensure termios is fully initialized Daniel P. Berrangé
2019-02-04 10:20 ` Marc-André Lureau
2019-02-06 13:45 ` [Qemu-devel] [PATCH v2 00/16] chardev: refactoring & many bugfixes related tcp_chr_wait_connected Marc-André Lureau
2019-02-06 13:56 ` Daniel P. Berrangé
2019-02-06 14:35 ` Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190204135608.GN1905@redhat.com \
--to=berrange@redhat.com \
--cc=elohimes@gmail.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.