From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56647)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bharata@linux.vnet.ibm.com>) id 1VCmSQ-0002Dj-Ue
	for qemu-devel@nongnu.org; Fri, 23 Aug 2013 04:11:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <bharata@linux.vnet.ibm.com>) id 1VCmSI-00040S-1G
	for qemu-devel@nongnu.org; Fri, 23 Aug 2013 04:10:58 -0400
Received: from e28smtp04.in.ibm.com ([122.248.162.4]:53158)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bharata@linux.vnet.ibm.com>) id 1VCmSH-0003zu-Bt
	for qemu-devel@nongnu.org; Fri, 23 Aug 2013 04:10:49 -0400
Received: from /spool/local
	by e28smtp04.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <bharata@linux.vnet.ibm.com>;
	Fri, 23 Aug 2013 13:32:42 +0530
Received: from d28relay02.in.ibm.com (d28relay02.in.ibm.com [9.184.220.59])
	by d28dlp03.in.ibm.com (Postfix) with ESMTP id A03A41258052
	for <qemu-devel@nongnu.org>; Fri, 23 Aug 2013 13:40:29 +0530 (IST)
Received: from d28av04.in.ibm.com (d28av04.in.ibm.com [9.184.220.66])
	by d28relay02.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	r7N8CHJR41287768
	for <qemu-devel@nongnu.org>; Fri, 23 Aug 2013 13:42:17 +0530
Received: from d28av04.in.ibm.com (localhost [127.0.0.1])
	by d28av04.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id
	r7N8AfMX013359
	for <qemu-devel@nongnu.org>; Fri, 23 Aug 2013 13:40:41 +0530
Date: Fri, 23 Aug 2013 13:41:00 +0530
From: Bharata B Rao <bharata@linux.vnet.ibm.com>
Message-ID: <20130823081100.GH2755@in.ibm.com>
References: <1377050567-19122-1-git-send-email-asias@redhat.com>
	<20130821152440.GB18303@stefanha-thinkpad.redhat.com>
	<5214DF5B.50203@redhat.com> <20130823064804.GG2755@in.ibm.com>
	<52171041.9030805@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <52171041.9030805@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] block: Fix race in gluster_finish_aiocb
Reply-To: bharata@linux.vnet.ibm.com
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Vijay Bellur <vbellur@redhat.com>, Stefan Hajnoczi <stefanha@gmail.com>, qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>, Asias He <asias@redhat.com>, MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>

On Fri, Aug 23, 2013 at 09:33:21AM +0200, Paolo Bonzini wrote:
> > (gdb) p *bh
> > $1 = {ctx = 0x0, cb = 0x5555555ffdcd <qemu_gluster_aio_bh>, opaque = 
> >     0x7fffd00419c0, next = 0x555556345e70, scheduled = false, idle = false, 
> >   deleted = true}
> 
> This looks like a use-after-free, with bh->ctx corrupted when freeing
> the bottom half.  But it's not at all obvious how it can happen.
> 
> I suggest using MALLOC_PERTURB_=42 to check this theory (if it is
> correct, most fields will be something like 0x2a2a2a2a2a2a2a2a).  But I
> don't see anything clearly wrong in the patch... Thus perhaps it is
> simpler to just remove the unreachable error handling code.

(gdb) p *bh
$1 = {ctx = 0x0, cb = 0x2a2a2a2a2a2a2a2a, opaque = 0x2a2a2a2a2a2a2a2a, next = 
    0x2a2a2a2a2a2a2a2a, scheduled = false, idle = false, deleted = true}

May be as note above, I should just remove the unreachable error handling
code for now.

Regards,
Bharata.