From: Juan Quintela <quintela@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Fam Zheng" <fam@euphon.net>, "Thomas Huth" <huth@tuxfamily.org>,
"Viresh Kumar" <viresh.kumar@linaro.org>,
"Kevin Wolf" <kwolf@redhat.com>,
"Mathieu Poirier" <mathieu.poirier@linaro.org>,
"Laurent Vivier" <laurent@vivier.eu>,
"Eric Blake" <eblake@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Raphael Norwitz" <raphael.norwitz@nutanix.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
virtio-fs@redhat.com, "Alex Bennée" <alex.bennee@linaro.org>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Gonglei (Arei)" <arei.gonglei@huawei.com>,
qemu-block@nongnu.org, "Xiaojuan Yang" <yangxiaojuan@loongson.cn>,
"Thomas Huth" <thuth@redhat.com>,
"Ilya Leoshkevich" <iii@linux.ibm.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Alex Williamson" <alex.williamson@redhat.com>,
"Eric Farman" <farman@linux.ibm.com>,
"Halil Pasic" <pasic@linux.ibm.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Vladimir Sementsov-Ogievskiy" <vsementsov@yandex-team.ru>,
"Jason Wang" <jasowang@redhat.com>,
"Laurent Vivier" <lvivier@redhat.com>,
"Song Gao" <gaosong@loongson.cn>,
qemu-s390x@nongnu.org,
"Pavel Dovgalyuk" <pavel.dovgaluk@ispras.ru>,
"Klaus Jensen" <its@irrelevant.dk>,
"John Snow" <jsnow@redhat.com>,
"Michael Tokarev" <mjt@tls.msk.ru>,
qemu-arm@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Keith Busch" <kbusch@kernel.org>,
"David Hildenbrand" <david@redhat.com>,
qemu-trivial@nongnu.org, "Hanna Reitz" <hreitz@redhat.com>,
"Klaus Jensen" <k.jensen@samsung.com>
Subject: [PATCH v2 18/51] hw/nvme: fix aio cancel in flush
Date: Mon, 5 Dec 2022 10:51:55 +0100 [thread overview]
Message-ID: <20221205095228.1314-19-quintela@redhat.com> (raw)
In-Reply-To: <20221205095228.1314-1-quintela@redhat.com>
From: Klaus Jensen <k.jensen@samsung.com>
Make sure that iocb->aiocb is NULL'ed when cancelling.
Fix a potential use-after-free by removing the bottom half and enqueuing
the completion directly.
Fixes: 38f4ac65ac88 ("hw/nvme: reimplement flush to allow cancellation")
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
hw/nvme/ctrl.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 9bc56075f6..fede5af6af 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -3160,7 +3160,6 @@ typedef struct NvmeFlushAIOCB {
BlockAIOCB common;
BlockAIOCB *aiocb;
NvmeRequest *req;
- QEMUBH *bh;
int ret;
NvmeNamespace *ns;
@@ -3176,6 +3175,7 @@ static void nvme_flush_cancel(BlockAIOCB *acb)
if (iocb->aiocb) {
blk_aio_cancel_async(iocb->aiocb);
+ iocb->aiocb = NULL;
}
}
@@ -3185,6 +3185,8 @@ static const AIOCBInfo nvme_flush_aiocb_info = {
.get_aio_context = nvme_get_aio_context,
};
+static void nvme_do_flush(NvmeFlushAIOCB *iocb);
+
static void nvme_flush_ns_cb(void *opaque, int ret)
{
NvmeFlushAIOCB *iocb = opaque;
@@ -3206,13 +3208,11 @@ static void nvme_flush_ns_cb(void *opaque, int ret)
}
out:
- iocb->aiocb = NULL;
- qemu_bh_schedule(iocb->bh);
+ nvme_do_flush(iocb);
}
-static void nvme_flush_bh(void *opaque)
+static void nvme_do_flush(NvmeFlushAIOCB *iocb)
{
- NvmeFlushAIOCB *iocb = opaque;
NvmeRequest *req = iocb->req;
NvmeCtrl *n = nvme_ctrl(req);
int i;
@@ -3239,14 +3239,8 @@ static void nvme_flush_bh(void *opaque)
return;
done:
- qemu_bh_delete(iocb->bh);
- iocb->bh = NULL;
-
iocb->common.cb(iocb->common.opaque, iocb->ret);
-
qemu_aio_unref(iocb);
-
- return;
}
static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *req)
@@ -3258,7 +3252,6 @@ static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *req)
iocb = qemu_aio_get(&nvme_flush_aiocb_info, NULL, nvme_misc_cb, req);
iocb->req = req;
- iocb->bh = qemu_bh_new(nvme_flush_bh, iocb);
iocb->ret = 0;
iocb->ns = NULL;
iocb->nsid = 0;
@@ -3280,13 +3273,11 @@ static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *req)
}
req->aiocb = &iocb->common;
- qemu_bh_schedule(iocb->bh);
+ nvme_do_flush(iocb);
return NVME_NO_COMPLETE;
out:
- qemu_bh_delete(iocb->bh);
- iocb->bh = NULL;
qemu_aio_unref(iocb);
return status;
--
2.38.1
next prev parent reply other threads:[~2022-12-05 10:07 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-05 9:51 [PATCH v2 00/51] migration patches for VFIO Juan Quintela
2022-12-05 9:51 ` [PATCH v2 01/51] update seabios source from 1.16.0 to 1.16.1 Juan Quintela
2022-12-05 9:51 ` [PATCH v2 02/51] update seabios binaries " Juan Quintela
2022-12-05 9:51 ` [PATCH v2 03/51] replay: Fix declaration of replay_read_next_clock Juan Quintela
2022-12-05 9:51 ` [PATCH v2 04/51] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler Juan Quintela
2022-12-05 9:51 ` [PATCH v2 05/51] hw/display/qxl: Document qxl_phys2virt() Juan Quintela
2022-12-05 9:51 ` [PATCH v2 06/51] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() Juan Quintela
2022-12-05 9:51 ` [PATCH v2 07/51] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) Juan Quintela
2022-12-05 9:51 ` [PATCH v2 08/51] hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion Juan Quintela
2022-12-05 9:51 ` [PATCH v2 09/51] block-backend: avoid bdrv_unregister_buf() NULL pointer deref Juan Quintela
2022-12-05 9:51 ` [PATCH v2 10/51] target/arm: Set TCGCPUOps.restore_state_to_opc for v7m Juan Quintela
2022-12-05 9:51 ` [PATCH v2 11/51] Update VERSION for v7.2.0-rc3 Juan Quintela
2022-12-05 9:51 ` [PATCH v2 12/51] tests/qtests: override "force-legacy" for gpio virtio-mmio tests Juan Quintela
2022-12-05 9:51 ` [PATCH v2 13/51] vhost: enable vrings in vhost_dev_start() for vhost-user devices Juan Quintela
2022-12-05 9:51 ` [PATCH v2 14/51] hw/virtio: add started_vu status field to vhost-user-gpio Juan Quintela
2022-12-05 9:51 ` [PATCH v2 15/51] hw/virtio: generalise CHR_EVENT_CLOSED handling Juan Quintela
2022-12-05 9:51 ` [PATCH v2 16/51] include/hw: VM state takes precedence in virtio_device_should_start Juan Quintela
2022-12-05 9:51 ` [PATCH v2 17/51] hw/nvme: fix aio cancel in format Juan Quintela
2022-12-05 9:51 ` Juan Quintela [this message]
2022-12-05 9:51 ` [PATCH v2 19/51] hw/nvme: fix aio cancel in zone reset Juan Quintela
2022-12-05 9:51 ` [PATCH v2 20/51] hw/nvme: fix aio cancel in dsm Juan Quintela
2022-12-05 9:51 ` [PATCH v2 21/51] hw/nvme: remove copy bh scheduling Juan Quintela
2022-12-05 9:51 ` [PATCH v2 22/51] target/i386: allow MMX instructions with CR4.OSFXSR=0 Juan Quintela
2022-12-05 9:52 ` [PATCH v2 23/51] target/i386: Always completely initialize TranslateFault Juan Quintela
2022-12-05 9:52 ` [PATCH v2 24/51] hw/loongarch/virt: Add cfi01 pflash device Juan Quintela
2022-12-05 9:52 ` [PATCH v2 25/51] tests/qtest/migration-test: Fix unlink error and memory leaks Juan Quintela
2022-12-05 9:52 ` [PATCH v2 26/51] target/s390x/tcg: Fix and improve the SACF instruction Juan Quintela
2022-12-05 9:52 ` [PATCH v2 27/51] hw/display/next-fb: Fix comment typo Juan Quintela
2022-12-05 9:52 ` [PATCH v2 28/51] multifd: Create page_size fields into both MultiFD{Recv, Send}Params Juan Quintela
2022-12-05 9:52 ` [PATCH v2 29/51] multifd: Create page_count " Juan Quintela
2022-12-05 9:52 ` [PATCH v2 30/51] migration: Export ram_transferred_ram() Juan Quintela
2022-12-05 9:52 ` [PATCH v2 31/51] migration: Export ram_release_page() Juan Quintela
2022-12-05 9:52 ` [PATCH v2 32/51] migration: Take bitmap mutex when completing ram migration Juan Quintela
2022-12-05 9:52 ` [PATCH v2 33/51] migration: Add postcopy_preempt_active() Juan Quintela
2022-12-05 9:52 ` [PATCH v2 34/51] migration: Cleanup xbzrle zero page cache update logic Juan Quintela
2022-12-05 9:52 ` [PATCH v2 35/51] migration: Trivial cleanup save_page_header() on same block check Juan Quintela
2022-12-05 9:52 ` [PATCH v2 36/51] migration: Remove RAMState.f references in compression code Juan Quintela
2022-12-05 9:52 ` [PATCH v2 37/51] migration: Yield bitmap_mutex properly when sending/sleeping Juan Quintela
2022-12-05 9:52 ` [PATCH v2 38/51] migration: Use atomic ops properly for page accountings Juan Quintela
2022-12-05 9:52 ` [PATCH v2 39/51] migration: Teach PSS about host page Juan Quintela
2022-12-05 9:52 ` [PATCH v2 40/51] migration: Introduce pss_channel Juan Quintela
2022-12-05 9:52 ` [PATCH v2 41/51] migration: Add pss_init() Juan Quintela
2022-12-05 9:52 ` [PATCH v2 42/51] migration: Make PageSearchStatus part of RAMState Juan Quintela
2022-12-05 9:52 ` [PATCH v2 43/51] migration: Move last_sent_block into PageSearchStatus Juan Quintela
2022-12-05 9:52 ` [PATCH v2 44/51] migration: Send requested page directly in rp-return thread Juan Quintela
2022-12-05 9:52 ` [PATCH v2 45/51] migration: Remove old preempt code around state maintainance Juan Quintela
2022-12-05 9:52 ` [PATCH v2 46/51] migration: Drop rs->f Juan Quintela
2022-12-05 9:52 ` [PATCH v2 47/51] migration: Remove res_compatible parameter Juan Quintela
2022-12-05 9:52 ` [PATCH v2 48/51] migration: No save_live_pending() method uses the QEMUFile parameter Juan Quintela
2022-12-05 9:52 ` [PATCH v2 49/51] migration: Split save_live_pending() into state_pending_* Juan Quintela
2022-12-05 9:52 ` [PATCH v2 50/51] migration: Remove unused threshold_size parameter Juan Quintela
2022-12-05 9:52 ` [PATCH v2 51/51] migration: simplify migration_iteration_run() Juan Quintela
2022-12-05 9:56 ` [PATCH v2 00/51] migration patches for VFIO Juan Quintela
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221205095228.1314-19-quintela@redhat.com \
--to=quintela@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=alex.williamson@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=borntraeger@linux.ibm.com \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=eduardo@habkost.net \
--cc=fam@euphon.net \
--cc=farman@linux.ibm.com \
--cc=gaosong@loongson.cn \
--cc=hreitz@redhat.com \
--cc=huth@tuxfamily.org \
--cc=iii@linux.ibm.com \
--cc=its@irrelevant.dk \
--cc=jasowang@redhat.com \
--cc=jsnow@redhat.com \
--cc=k.jensen@samsung.com \
--cc=kbusch@kernel.org \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=laurent@vivier.eu \
--cc=lvivier@redhat.com \
--cc=mathieu.poirier@linaro.org \
--cc=mjt@tls.msk.ru \
--cc=mst@redhat.com \
--cc=pasic@linux.ibm.com \
--cc=pavel.dovgaluk@ispras.ru \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=raphael.norwitz@nutanix.com \
--cc=richard.henderson@linaro.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
--cc=viresh.kumar@linaro.org \
--cc=virtio-fs@redhat.com \
--cc=vsementsov@yandex-team.ru \
--cc=yangxiaojuan@loongson.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).