From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 24/33] nbd: Fully initialize client in case of failed negotiation
Date: Thu, 1 Jun 2017 14:41:42 +0200 [thread overview]
Message-ID: <1496320911-51305-25-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1496320911-51305-1-git-send-email-pbonzini@redhat.com>
From: Eric Blake <eblake@redhat.com>
If a non-NBD client connects to qemu-nbd, we would end up with
a SIGSEGV in nbd_cilent_put() because we were trying to
unregister the client's association to the export, even though
we skipped inserting the client into that list. Easy trigger
in two terminals:
$ qemu-nbd -p 30001 --format=raw file
$ nmap 127.0.0.1 -p 30001
nmap claims that it thinks it connected to a pago-services1
server (which probably means nmap could be updated to learn the
NBD protocol and give a more accurate diagnosis of the open
port - but that's not our problem), then terminates immediately,
so our call to nbd_negotiate() fails. The fix is to reorder
nbd_co_client_start() to ensure that all initialization occurs
before we ever try talking to a client in nbd_negotiate(), so
that the teardown sequence on negotiation failure doesn't fault
while dereferencing a half-initialized object.
While debugging this, I also noticed that nbd_update_server_watch()
called by nbd_client_closed() was still adding a channel to accept
the next client, even when the state was no longer RUNNING. That
is fixed by making nbd_can_accept() pay attention to the current
state.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170527030421.28366-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
nbd/server.c | 8 +++-----
qemu-nbd.c | 2 +-
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index ee59e5d..49b55f6 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
if (exp) {
nbd_export_get(exp);
+ QTAILQ_INSERT_TAIL(&exp->clients, client, next);
}
+ qemu_co_mutex_init(&client->send_lock);
+
if (nbd_negotiate(data)) {
client_close(client);
goto out;
}
- qemu_co_mutex_init(&client->send_lock);
-
- if (exp) {
- QTAILQ_INSERT_TAIL(&exp->clients, client, next);
- }
nbd_client_receive_next_request(client);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index f60842f..651f85e 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -325,7 +325,7 @@ out:
static int nbd_can_accept(void)
{
- return nb_fds < shared;
+ return state == RUNNING && nb_fds < shared;
}
static void nbd_export_closed(NBDExport *exp)
--
1.8.3.1
next prev parent reply other threads:[~2017-06-01 12:42 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-01 12:41 [Qemu-devel] [PULL 00/33] Misc patches for 2017-06-01 Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 01/33] mc146818rtc: update periodic timer only if it is needed Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 02/33] mc146818rtc: precisely count the clock for periodic timer Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 03/33] mc146818rtc: ensure LOST_TICK_POLICY_SLEW is only enabled on TARGET_I386 Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 04/33] mc146818rtc: drop unnecessary '#ifdef TARGET_I386' Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 05/33] mc146818rtc: embrace all x86 specific code Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 06/33] kvm: irqchip: trace changes on msi add/remove Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 07/33] msix: trace control bit write op Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 08/33] kvm: irqchip: skip update msi when disabled Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 09/33] Check the return value of fcntl in qemu_set_cloexec Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 10/33] nbd: strict nbd_wr_syncv Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 11/33] nbd: read_sync and friends: return 0 on success Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 12/33] nbd: add errp parameter to nbd_wr_syncv() Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 13/33] nbd: add errp to read_sync, write_sync and drop_sync Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 14/33] nbd/client.c: use errp instead of LOG Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 15/33] exec: simplify phys_page_find() params Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 16/33] virtio-scsi: Unset hotplug handler when unrealize Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 17/33] vhost-user-scsi: Introduce vhost-user-scsi host device Paolo Bonzini
2017-06-05 16:28 ` Eric Blake
2017-06-05 16:38 ` Felipe Franciosi
2017-06-05 16:41 ` Eric Blake
2017-06-05 16:50 ` Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 18/33] vhost-user-scsi: Introduce a vhost-user-scsi sample application Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 19/33] target/i386: enable A20 automatically in system management mode Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 20/33] target/i386: use multiple CPU AddressSpaces Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 21/33] i386: fix read/write cr with icount option Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 22/33] sockets: improve error reporting if UNIX socket path is too long Paolo Bonzini
2017-06-13 16:10 ` Peter Maydell
2017-06-14 8:05 ` Daniel P. Berrange
2017-06-01 12:41 ` [Qemu-devel] [PULL 23/33] exec: fix address_space_get_iotlb_entry page mask Paolo Bonzini
2017-06-02 9:59 ` Peter Xu
2017-06-01 12:41 ` Paolo Bonzini [this message]
2017-06-01 15:15 ` [Qemu-devel] [PULL 24/33] nbd: Fully initialize client in case of failed negotiation Eric Blake
2017-06-01 12:41 ` [Qemu-devel] [PULL 25/33] qtest: add rtc periodic timer test Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 26/33] kvmclock: update system_time_msr address forcibly Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 27/33] linuxboot_dma: compile for i486 Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 28/33] edu: fix memory leak on msi_broken platforms Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 29/33] i386/kvm: do not zero out segment flags if segment is unusable or not present Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 30/33] target/i386: Add GDB XML description for SSE registers Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 31/33] hw/core: nmi.c can be compiled as common-obj nowadays Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 32/33] nbd: make it thread-safe, fix qcow2 over nbd Paolo Bonzini
2017-06-01 12:41 ` [Qemu-devel] [PULL 33/33] kvm: don't register smram_listener when smm is off Paolo Bonzini
2017-06-01 14:26 ` [Qemu-devel] [PULL 00/33] Misc patches for 2017-06-01 no-reply
2017-06-01 15:09 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1496320911-51305-25-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).