From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Fam Zheng <famz@redhat.com>
Subject: [Qemu-devel] [PULL 06/22] dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel
Date: Tue, 28 Apr 2015 16:40:13 +0200 [thread overview]
Message-ID: <1430232029-9457-7-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1430232029-9457-1-git-send-email-pbonzini@redhat.com>
From: Fam Zheng <famz@redhat.com>
If DMA's owning thread cancels the IO while the bounce buffer's owning thread
is notifying the "cpu client list", a use-after-free happens:
continue_after_map_failure dma_aio_cancel
------------------------------------------------------------------
aio_bh_new
qemu_bh_delete
qemu_bh_schedule (use after free)
Also, the old code doesn't run the bh in the right AioContext.
Fix both problems by passing a QEMUBH to cpu_register_map_client.
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1426496617-10702-6-git-send-email-famz@redhat.com>
[Remove unnecessary forward declaration. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
dma-helpers.c | 17 ++++++++---------
exec.c | 34 +++++++++++++++++++++-------------
include/exec/cpu-common.h | 3 ++-
3 files changed, 31 insertions(+), 23 deletions(-)
diff --git a/dma-helpers.c b/dma-helpers.c
index 6918572..1fddf6a 100644
--- a/dma-helpers.c
+++ b/dma-helpers.c
@@ -92,14 +92,6 @@ static void reschedule_dma(void *opaque)
dma_blk_cb(dbs, 0);
}
-static void continue_after_map_failure(void *opaque)
-{
- DMAAIOCB *dbs = (DMAAIOCB *)opaque;
-
- dbs->bh = qemu_bh_new(reschedule_dma, dbs);
- qemu_bh_schedule(dbs->bh);
-}
-
static void dma_blk_unmap(DMAAIOCB *dbs)
{
int i;
@@ -161,7 +153,9 @@ static void dma_blk_cb(void *opaque, int ret)
if (dbs->iov.size == 0) {
trace_dma_map_wait(dbs);
- cpu_register_map_client(dbs, continue_after_map_failure);
+ dbs->bh = aio_bh_new(blk_get_aio_context(dbs->blk),
+ reschedule_dma, dbs);
+ cpu_register_map_client(dbs->bh);
return;
}
@@ -183,6 +177,11 @@ static void dma_aio_cancel(BlockAIOCB *acb)
if (dbs->acb) {
blk_aio_cancel_async(dbs->acb);
}
+ if (dbs->bh) {
+ cpu_unregister_map_client(dbs->bh);
+ qemu_bh_delete(dbs->bh);
+ dbs->bh = NULL;
+ }
}
diff --git a/exec.c b/exec.c
index 2c87f1d..065f5e8 100644
--- a/exec.c
+++ b/exec.c
@@ -2479,8 +2479,7 @@ typedef struct {
static BounceBuffer bounce;
typedef struct MapClient {
- void *opaque;
- void (*callback)(void *opaque);
+ QEMUBH *bh;
QLIST_ENTRY(MapClient) link;
} MapClient;
@@ -2488,31 +2487,34 @@ QemuMutex map_client_list_lock;
static QLIST_HEAD(map_client_list, MapClient) map_client_list
= QLIST_HEAD_INITIALIZER(map_client_list);
-static void cpu_unregister_map_client(void *_client);
+static void cpu_unregister_map_client_do(MapClient *client)
+{
+ QLIST_REMOVE(client, link);
+ g_free(client);
+}
+
static void cpu_notify_map_clients_locked(void)
{
MapClient *client;
while (!QLIST_EMPTY(&map_client_list)) {
client = QLIST_FIRST(&map_client_list);
- client->callback(client->opaque);
- cpu_unregister_map_client(client);
+ qemu_bh_schedule(client->bh);
+ cpu_unregister_map_client_do(client);
}
}
-void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
+void cpu_register_map_client(QEMUBH *bh)
{
MapClient *client = g_malloc(sizeof(*client));
qemu_mutex_lock(&map_client_list_lock);
- client->opaque = opaque;
- client->callback = callback;
+ client->bh = bh;
QLIST_INSERT_HEAD(&map_client_list, client, link);
if (!atomic_read(&bounce.in_use)) {
cpu_notify_map_clients_locked();
}
qemu_mutex_unlock(&map_client_list_lock);
- return client;
}
void cpu_exec_init_all(void)
@@ -2523,12 +2525,18 @@ void cpu_exec_init_all(void)
qemu_mutex_init(&map_client_list_lock);
}
-static void cpu_unregister_map_client(void *_client)
+void cpu_unregister_map_client(QEMUBH *bh)
{
- MapClient *client = (MapClient *)_client;
+ MapClient *client;
- QLIST_REMOVE(client, link);
- g_free(client);
+ qemu_mutex_lock(&map_client_list_lock);
+ QLIST_FOREACH(client, &map_client_list, link) {
+ if (client->bh == bh) {
+ cpu_unregister_map_client_do(client);
+ break;
+ }
+ }
+ qemu_mutex_unlock(&map_client_list_lock);
}
static void cpu_notify_map_clients(void)
diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
index fcc3162..43428bd 100644
--- a/include/exec/cpu-common.h
+++ b/include/exec/cpu-common.h
@@ -82,7 +82,8 @@ void *cpu_physical_memory_map(hwaddr addr,
int is_write);
void cpu_physical_memory_unmap(void *buffer, hwaddr len,
int is_write, hwaddr access_len);
-void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque));
+void cpu_register_map_client(QEMUBH *bh);
+void cpu_unregister_map_client(QEMUBH *bh);
bool cpu_physical_memory_is_io(hwaddr phys_addr);
--
2.3.5
next prev parent reply other threads:[~2015-04-28 14:40 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-28 14:40 [Qemu-devel] [PULL 00/22] Memory, TCG, NBD, build system changes for 2015-04-27 Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 01/22] translate-all: use glib for all page descriptor allocations Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 02/22] exec: Atomic access to bounce buffer Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 03/22] linux-user, bsd-user: Remove two calls to cpu_exec_init_all Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 04/22] exec: Protect map_client_list with mutex Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 05/22] exec: Notify cpu_register_map_client caller if the bounce buffer is available Paolo Bonzini
2015-04-28 14:40 ` Paolo Bonzini [this message]
2015-04-28 14:40 ` [Qemu-devel] [PULL 07/22] memory: add memory_region_ram_resize Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 08/22] acpi-build: remove dependency from ram_addr.h Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 09/22] sun4m: fix slavio sysctrl and led register sizes Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 10/22] sb16: remove useless mixer_write_indexw Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 11/22] gus: clean up MemoryRegionPortio Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 12/22] ide: there is only one data port Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 13/22] ioport: remove wrong comment Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 14/22] ioport: loosen assertions on emulation of 16-bit ports Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 15/22] ioport: reserve the whole range of an I/O port in the AddressSpace Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 16/22] exec: Respect as_translate_internal length clamp Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 17/22] configure: Add support for tcmalloc Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 18/22] milkymist: do not modify libs-softmmu Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 19/22] Makefile.target: prepend $libs_softmmu to $LIBS Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 20/22] target-i386: disable LINT0 after reset Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 21/22] translate-all: use bitmap helpers for PageDesc's bitmap Paolo Bonzini
2015-04-28 14:40 ` [Qemu-devel] [PULL 22/22] nbd/trivial: fix type cast for ioctl Paolo Bonzini
2015-04-28 15:54 ` [Qemu-devel] [PULL 00/22] Memory, TCG, NBD, build system changes for 2015-04-27 Peter Maydell
2015-04-29 1:53 ` Fam Zheng
2015-04-29 8:15 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1430232029-9457-7-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=famz@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).