[Qemu-devel] [PATCH 0/1] ahci: fix ncq aiocb-related segfault

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH 0/1] ahci: fix ncq aiocb-related segfault
@ 2016-09-22 20:10 John Snow
  2016-09-22 20:10 ` [Qemu-devel] [PATCH 1/1] ahci: clear aiocb in ncq_cb John Snow
  2016-09-26 16:10 ` [Qemu-devel] [Qemu-block] [PATCH 0/1] ahci: fix ncq aiocb-related segfault Stefan Hajnoczi
  0 siblings, 2 replies; 4+ messages in thread
From: John Snow @ 2016-09-22 20:10 UTC (permalink / raw)
  To: qemu-block; +Cc: kwolf, pbonzini, qemu-stable, qemu-devel, John Snow

Fix ncq_cb to prevent a segfault on sys_reset.

John Snow (1):
  ahci: clear aiocb in ncq_cb

 hw/ide/ahci.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.7.4

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Qemu-devel] [PATCH 1/1] ahci: clear aiocb in ncq_cb
  2016-09-22 20:10 [Qemu-devel] [PATCH 0/1] ahci: fix ncq aiocb-related segfault John Snow
@ 2016-09-22 20:10 ` John Snow
  2016-09-26 16:10 ` [Qemu-devel] [Qemu-block] [PATCH 0/1] ahci: fix ncq aiocb-related segfault Stefan Hajnoczi
  1 sibling, 0 replies; 4+ messages in thread
From: John Snow @ 2016-09-22 20:10 UTC (permalink / raw)
  To: qemu-block; +Cc: kwolf, pbonzini, qemu-stable, qemu-devel, John Snow

Similar to existing fixes for IDE and ATAPI, the AIOCB
must be cleared in the callback. Otherwise, we may accidentally
try to reset it after the object has been released.

Signed-off-by: John Snow <jsnow@redhat.com>
---
 hw/ide/ahci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index f3438ad..63ead21 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -948,6 +948,7 @@ static void ncq_cb(void *opaque, int ret)
     NCQTransferState *ncq_tfs = (NCQTransferState *)opaque;
     IDEState *ide_state = &ncq_tfs->drive->port.ifs[0];
 
+    ncq_tfs->aiocb = NULL;
     if (ret == -ECANCELED) {
         return;
     }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [Qemu-devel] [Qemu-block] [PATCH 0/1] ahci: fix ncq aiocb-related segfault
  2016-09-22 20:10 [Qemu-devel] [PATCH 0/1] ahci: fix ncq aiocb-related segfault John Snow
  2016-09-22 20:10 ` [Qemu-devel] [PATCH 1/1] ahci: clear aiocb in ncq_cb John Snow
@ 2016-09-26 16:10 ` Stefan Hajnoczi
  2016-09-26 18:34   ` John Snow
  1 sibling, 1 reply; 4+ messages in thread
From: Stefan Hajnoczi @ 2016-09-26 16:10 UTC (permalink / raw)
  To: John Snow; +Cc: qemu-block, kwolf, pbonzini, qemu-stable, qemu-devel

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

On Thu, Sep 22, 2016 at 04:10:39PM -0400, John Snow wrote:
> Fix ncq_cb to prevent a segfault on sys_reset.
> 
> John Snow (1):
>   ahci: clear aiocb in ncq_cb
> 
>  hw/ide/ahci.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> -- 
> 2.7.4

Maybe worth adding as a clarification:

The issue is when bdrv_aio_cancel() is called after ncq_cb() was already
invoked.  The aiocb will be a dangling pointer.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Qemu-devel] [Qemu-block] [PATCH 0/1] ahci: fix ncq aiocb-related segfault
  2016-09-26 16:10 ` [Qemu-devel] [Qemu-block] [PATCH 0/1] ahci: fix ncq aiocb-related segfault Stefan Hajnoczi
@ 2016-09-26 18:34   ` John Snow
  0 siblings, 0 replies; 4+ messages in thread
From: John Snow @ 2016-09-26 18:34 UTC (permalink / raw)
  To: Stefan Hajnoczi; +Cc: kwolf, pbonzini, qemu-stable, qemu-block, qemu-devel



On 09/26/2016 12:10 PM, Stefan Hajnoczi wrote:
> On Thu, Sep 22, 2016 at 04:10:39PM -0400, John Snow wrote:
>> Fix ncq_cb to prevent a segfault on sys_reset.
>>
>> John Snow (1):
>>   ahci: clear aiocb in ncq_cb
>>
>>  hw/ide/ahci.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> --
>> 2.7.4
>
> Maybe worth adding as a clarification:
>
> The issue is when bdrv_aio_cancel() is called after ncq_cb() was already
> invoked.  The aiocb will be a dangling pointer.
>

Done.

> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
>

Thanks, applied to my IDE tree:

https://github.com/jnsnow/qemu/commits/ide
https://github.com/jnsnow/qemu.git

--js

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-09-26 18:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-22 20:10 [Qemu-devel] [PATCH 0/1] ahci: fix ncq aiocb-related segfault John Snow
2016-09-22 20:10 ` [Qemu-devel] [PATCH 1/1] ahci: clear aiocb in ncq_cb John Snow
2016-09-26 16:10 ` [Qemu-devel] [Qemu-block] [PATCH 0/1] ahci: fix ncq aiocb-related segfault Stefan Hajnoczi
2016-09-26 18:34   ` John Snow

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).