From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45408)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XGqrH-0006pr-Iy
	for qemu-devel@nongnu.org; Mon, 11 Aug 2014 10:46:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XGqr8-0000KW-7d
	for qemu-devel@nongnu.org; Mon, 11 Aug 2014 10:45:59 -0400
Received: from mail-we0-x230.google.com ([2a00:1450:400c:c03::230]:41639)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1XGqr7-0000KJ-93
	for qemu-devel@nongnu.org; Mon, 11 Aug 2014 10:45:50 -0400
Received: by mail-we0-f176.google.com with SMTP id q58so8629603wes.35
	for <qemu-devel@nongnu.org>; Mon, 11 Aug 2014 07:45:48 -0700 (PDT)
Date: Mon, 11 Aug 2014 15:45:45 +0100
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20140811144545.GE496@stefanha-thinkpad.redhat.com>
References: <201408091133130940565@sangfor.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="FN+gV9K+162wdwwF"
Content-Disposition: inline
In-Reply-To: <201408091133130940565@sangfor.com>
Subject: Re: [Qemu-devel] [PATCH] qemu-nbd: NULL nbd export pointer
 dereference after kill (TERMINATE)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Zhang Haoyu <zhanghy@sangfor.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel <qemu-devel@nongnu.org>


--FN+gV9K+162wdwwF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Aug 09, 2014 at 11:33:14AM +0800, Zhang Haoyu wrote:
> After receive TERMINATE signal, qemu nbd state is set to TERMINATE, then =
in the main loop,=20
> nbd_export_close -> nbd_export_put is performed, but sometimes exp->refco=
unt still greater than zero after nbd_export_put,
> so the qemu nbd state has not been set to TERMINATED, then in next cycle,=
  NULL exp will be dereference.
>     do {
>         main_loop_wait(false);
>         if (state =3D=3D TERMINATE) {
>             state =3D TERMINATING;
>             nbd_export_close(exp);
>             nbd_export_put(exp);
>             exp =3D NULL;
>         }
>     } while (state !=3D TERMINATED);

Please describe the scenario where refcount is greater than zero.  The
commit description should describe the bug and how to reproduce it.

Do you have a test case that reproduces this crash?

Please look at QEMU's ./MAINTAINERS file and CC the appropriate people.
I have CCed Paolo Bonzini since he is the NBD maintainer.  If you do not
CC the maintainers they may miss your patch.

Please

--FN+gV9K+162wdwwF
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJT6NcZAAoJEJykq7OBq3PIFO8H/Rr2GkBpeuqI8RbJl7cx0IRs
yJsrPuRxjatKQCVpd/oYOlAC4xqbSBe8PAPzuMr2G+4JDwLL7MKjXkUOZm+fIHZ2
zspCfPJFOtZ6ye277n2OHVtHZHrtwx7EXep+IRS2tVJ9wupQC7/qELq7OdiFk/s1
AfN5ROFuOXJuNm+JJZ/au4U8joIEVDyQcEvmVqBjPigFLt1rnj8iw++uMFyhIm3b
cPQPo+n/0RIo2E3Ld4uZyxy86183bYtnTaYfjrO3vgTgSQphXRnwkTYtbkiBO5OX
MFEzN/sKLNl0GLW1N2unlCd0HW6KodHdgSWbEZmyo5LqrVlZCDRgTyoMqWZOIFo=
=7UdO
-----END PGP SIGNATURE-----

--FN+gV9K+162wdwwF--