From: gerben@altlinux.org
To: qemu-block@nongnu.org, kwolf@redhat.com, hreitz@redhat.com
Cc: qemu-devel@nongnu.org, sdl.qemu@linuxtesting.org,
Denis Rastyogin <gerben@altlinux.org>,
Vasiliy Kovalev <kovalev@altlinux.org>
Subject: [PATCH 3/4] qemu-img: prevent stack overflow in bench by using bottom half
Date: Thu, 27 Mar 2025 19:24:22 +0300 [thread overview]
Message-ID: <20250327162423.25154-4-gerben@altlinux.org> (raw)
In-Reply-To: <20250327162423.25154-1-gerben@altlinux.org>
From: Denis Rastyogin <gerben@altlinux.org>
This error was discovered by fuzzing qemu-img.
Previously, new I/O requests were launched synchronously inside the
completion callback `bench_cb`, leading to deep recursion and stack
overflow. This patch moves the launching of new requests to a separate
function `bench_bh`, scheduled via `qemu_bh_schedule` to run in the event
loop context, thus unwinding the stack and preventing overflow.
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
qemu-img.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/qemu-img.c b/qemu-img.c
index 71c9fe496f..5cbf3d18d7 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -4426,6 +4426,7 @@ typedef struct BenchData {
int in_flight;
bool in_flush;
uint64_t offset;
+ QEMUBH *bh;
} BenchData;
static void bench_undrained_flush_cb(void *opaque, int ret)
@@ -4479,7 +4480,16 @@ static void bench_cb(void *opaque, int ret)
}
}
}
+ if (b->n > b->in_flight && b->in_flight < b->nrreq) {
+ qemu_bh_schedule(b->bh);
+ }
+}
+static void bench_bh(void *opaque)
+{
+ BenchData *b = opaque;
+ BlockAIOCB *acb;
+
while (b->n > b->in_flight && b->in_flight < b->nrreq) {
int64_t offset = b->offset;
/* blk_aio_* might look for completed I/Os and kick bench_cb
@@ -4737,6 +4747,7 @@ static int img_bench(int argc, char **argv)
}
gettimeofday(&t1, NULL);
+ data.bh = qemu_bh_new(bench_bh, &data);
bench_cb(&data, 0);
while (data.n > 0) {
@@ -4755,6 +4766,9 @@ out:
qemu_vfree(data.buf);
blk_unref(blk);
+ if (data.bh) {
+ qemu_bh_delete(data.bh);
+ }
if (ret) {
return 1;
}
--
2.42.2
next prev parent reply other threads:[~2025-03-27 16:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 16:24 [PATCH 0/4] Fix qemu-img bench issues and improve checks gerben
2025-03-27 16:24 ` [PATCH 1/4] qemu-img: fix division by zero in bench_cb() for zero-sized gerben
2025-03-27 16:24 ` [PATCH 2/4] qemu-img: fix offset calculation in bench gerben
2025-04-25 16:04 ` Kevin Wolf
2025-03-27 16:24 ` gerben [this message]
2025-04-25 16:08 ` [PATCH 3/4] qemu-img: prevent stack overflow in bench by using bottom half Kevin Wolf
2025-03-27 16:24 ` [PATCH 4/4] qemu-img: improve queue depth validation in img_bench gerben
2025-04-25 16:10 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250327162423.25154-4-gerben@altlinux.org \
--to=gerben@altlinux.org \
--cc=hreitz@redhat.com \
--cc=kovalev@altlinux.org \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=sdl.qemu@linuxtesting.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.