From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54368) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XFxR4-0006PI-Ln for qemu-devel@nongnu.org; Fri, 08 Aug 2014 23:35:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XFxQz-0006wO-Qo for qemu-devel@nongnu.org; Fri, 08 Aug 2014 23:35:14 -0400 Received: from [58.251.49.30] (port=59804 helo=mail.sangfor.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XFxQz-0006sI-3t for qemu-devel@nongnu.org; Fri, 08 Aug 2014 23:35:09 -0400 Received: from localhost (mail.sangfor.com [127.0.0.1]) by mail.sangfor.com (Postfix) with ESMTP id E52FB17C006B for ; Sat, 9 Aug 2014 11:23:52 +0800 (CST) Received: from mail.sangfor.com ([127.0.0.1]) by localhost (mail.sangfor.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhwpVZbdAUkA for ; Sat, 9 Aug 2014 11:23:52 +0800 (CST) Received: from vv-PC (unknown [10.10.6.254]) by mail.sangfor.com (Postfix) with ESMTPA id 7978A17C000A for ; Sat, 9 Aug 2014 11:23:52 +0800 (CST) Date: Sat, 9 Aug 2014 11:33:14 +0800 From: "Zhang Haoyu" Message-ID: <201408091133130940565@sangfor.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] [PATCH] qemu-nbd: NULL nbd export pointer dereference after kill (TERMINATE) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel After receive TERMINATE signal, qemu nbd state is set to TERMINATE, then in the main loop, nbd_export_close -> nbd_export_put is performed, but sometimes exp->refcount still greater than zero after nbd_export_put, so the qemu nbd state has not been set to TERMINATED, then in next cycle, NULL exp will be dereference. do { main_loop_wait(false); if (state == TERMINATE) { state = TERMINATING; nbd_export_close(exp); nbd_export_put(exp); exp = NULL; } } while (state != TERMINATED); Signed-off-by: Zhang Haoyu --- blockdev-nbd.c | 5 +++-- include/block/nbd.h | 2 +- nbd.c | 5 ++++- qemu-nbd.c | 6 +++--- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/blockdev-nbd.c b/blockdev-nbd.c index b3a2474..c339081 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -65,8 +65,9 @@ static void nbd_close_notifier(Notifier *n, void *data) notifier_remove(&cn->n); QTAILQ_REMOVE(&close_notifiers, cn, next); - nbd_export_close(cn->exp); - nbd_export_put(cn->exp); + do { + cn->exp = nbd_export_put(cn->exp); + } while (cn->exp); g_free(cn); } diff --git a/include/block/nbd.h b/include/block/nbd.h index 9e835d2..1912ef0 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -90,7 +90,7 @@ NBDExport *nbd_export_new(BlockDriverState *bs, off_t dev_offset, void (*close)(NBDExport *)); void nbd_export_close(NBDExport *exp); void nbd_export_get(NBDExport *exp); -void nbd_export_put(NBDExport *exp); +NBDExport *nbd_export_put(NBDExport *exp); BlockDriverState *nbd_export_get_blockdev(NBDExport *exp); diff --git a/nbd.c b/nbd.c index e7d1cee..2fccba5 100644 --- a/nbd.c +++ b/nbd.c @@ -991,7 +991,7 @@ void nbd_export_get(NBDExport *exp) exp->refcount++; } -void nbd_export_put(NBDExport *exp) +NBDExport *nbd_export_put(NBDExport *exp) { assert(exp->refcount > 0); if (exp->refcount == 1) { @@ -1006,7 +1006,10 @@ void nbd_export_put(NBDExport *exp) } g_free(exp); + return NULL; } + + return exp; } BlockDriverState *nbd_export_get_blockdev(NBDExport *exp) diff --git a/qemu-nbd.c b/qemu-nbd.c index 626e584..e1f3577 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -735,9 +735,9 @@ int main(int argc, char **argv) main_loop_wait(false); if (state == TERMINATE) { state = TERMINATING; - nbd_export_close(exp); - nbd_export_put(exp); - exp = NULL; + do { + exp = nbd_export_put(exp); + } while (exp); } } while (state != TERMINATED); -- 1.9.4.msysgit.0