From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49647) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a0fAw-00041X-Aw for qemu-devel@nongnu.org; Sun, 22 Nov 2015 19:40:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a0fAv-0000Kp-Fl for qemu-devel@nongnu.org; Sun, 22 Nov 2015 19:40:10 -0500 Date: Mon, 23 Nov 2015 08:39:59 +0800 From: Fam Zheng Message-ID: <20151123003959.GC7463@ad.usersys.redhat.com> References: <1447755611-11117-1-git-send-email-famz@redhat.com> <56521A53.8030604@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56521A53.8030604@redhat.com> Subject: Re: [Qemu-devel] [PATCH v3] virtio-blk: Fix double completion for werror=stop List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: Kevin Wolf , lvivier@redhat.com, qemu-block@nongnu.org, pl@kamp.de, qemu-devel@nongnu.org, qemu-stable@nongnu.org, Stefan Hajnoczi , dgibson@redhat.com On Sun, 11/22 20:41, Paolo Bonzini wrote: > > diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c > > index e70fccf..848f3fe 100644 > > --- a/hw/block/virtio-blk.c > > +++ b/hw/block/virtio-blk.c > > @@ -112,6 +112,10 @@ static void virtio_blk_rw_complete(void *opaque, int ret) > > * happen on the other side of the migration). > > */ > > if (virtio_blk_handle_rw_error(req, -ret, is_read)) { > > + /* Break the link in case the next request is added to the > > + * restart queue and is going to be parsed from the ring again. > > + */ > > + req->mr_next = NULL; > > continue; > > } > > } > > > > This is now a write-after-free for rerror/werror=stop. The right place > to set req->mr_next is inside virtio_blk_handle_rw_error, I think. > Oh yes :( Sending another patch. Fam