From: Paolo Bonzini <pbonzini@redhat.com>
To: Fam Zheng <famz@redhat.com>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
lvivier@redhat.com, qemu-block@nongnu.org, pl@kamp.de,
qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
dgibson@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3] virtio-blk: Fix double completion for werror=stop
Date: Sun, 22 Nov 2015 20:41:07 +0100 [thread overview]
Message-ID: <56521A53.8030604@redhat.com> (raw)
In-Reply-To: <1447755611-11117-1-git-send-email-famz@redhat.com>
On 17/11/2015 11:20, Fam Zheng wrote:
> When a request R is absorbed by request M, it is appended to the
> "mr_next" queue led by M, and is completed together with the completion
> of M, in virtio_blk_rw_complete.
>
> During DMA restart in virtio_blk_dma_restart_bh, requests in s->rq are
> parsed and submitted again, possibly with a stale req->mr_next. It could
> be a problem if the request merging in virtio_blk_handle_request hasn't
> refreshed every mr_next pointer, in which case, virtio_blk_rw_complete
> could walk through unexpected requests following the stale pointers.
>
> Fix this by unsetting the pointer in virtio_blk_rw_complete. It is safe
> because this req is either completed and freed right away, or it will be
> restarted and parsed from scratch out of the vq later.
>
> Signed-off-by: Fam Zheng <famz@redhat.com>
>
> ---
>
> v3: Fix as Stefan suggested.
> ---
> hw/block/virtio-blk.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> index e70fccf..848f3fe 100644
> --- a/hw/block/virtio-blk.c
> +++ b/hw/block/virtio-blk.c
> @@ -112,6 +112,10 @@ static void virtio_blk_rw_complete(void *opaque, int ret)
> * happen on the other side of the migration).
> */
> if (virtio_blk_handle_rw_error(req, -ret, is_read)) {
> + /* Break the link in case the next request is added to the
> + * restart queue and is going to be parsed from the ring again.
> + */
> + req->mr_next = NULL;
> continue;
> }
> }
>
This is now a write-after-free for rerror/werror=stop. The right place
to set req->mr_next is inside virtio_blk_handle_rw_error, I think.
Paolo
next prev parent reply other threads:[~2015-11-22 19:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-17 10:20 [Qemu-devel] [PATCH v3] virtio-blk: Fix double completion for werror=stop Fam Zheng
2015-11-17 10:34 ` Stefan Hajnoczi
2015-11-17 15:21 ` Laurent Vivier
2015-11-22 19:41 ` Paolo Bonzini [this message]
2015-11-23 0:39 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56521A53.8030604@redhat.com \
--to=pbonzini@redhat.com \
--cc=dgibson@redhat.com \
--cc=famz@redhat.com \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=pl@kamp.de \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.