From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Ronnie Sahlberg" <ronniesahlberg@gmail.com>,
"Aarushi Mehta" <mehta.aaru20@gmail.com>,
qemu-block@nongnu.org, "Paul Durrant" <paul@xen.org>,
"Anthony Perard" <anthony.perard@citrix.com>,
"Peter Lieven" <pl@kamp.de>, "Stefan Weil" <sw@weilnetz.de>,
"Xie Yongji" <xieyongji@bytedance.com>,
"Kevin Wolf" <kwolf@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Leonardo Bras" <leobras@redhat.com>,
"Peter Xu" <peterx@redhat.com>, "Hanna Reitz" <hreitz@redhat.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Richard Henderson" <richard.henderson@linaro.org>,
"David Woodhouse" <dwmw2@infradead.org>,
"Coiby Xu" <Coiby.Xu@gmail.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Stefano Garzarella" <sgarzare@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Julia Suvorova" <jusual@redhat.com>,
xen-devel@lists.xenproject.org, eesposit@redhat.com,
"Juan Quintela" <quintela@redhat.com>,
"Richard W.M. Jones" <rjones@redhat.com>,
"Fam Zheng" <fam@euphon.net>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>
Subject: [PATCH v5 01/21] block: Fix use after free in blockdev_mark_auto_del()
Date: Thu, 4 May 2023 15:53:07 -0400 [thread overview]
Message-ID: <20230504195327.695107-2-stefanha@redhat.com> (raw)
In-Reply-To: <20230504195327.695107-1-stefanha@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
job_cancel_locked() drops the job list lock temporarily and it may call
aio_poll(). We must assume that the list has changed after this call.
Also, with unlucky timing, it can end up freeing the job during
job_completed_txn_abort_locked(), making the job pointer invalid, too.
For both reasons, we can't just continue at block_job_next_locked(job).
Instead, start at the head of the list again after job_cancel_locked()
and skip those jobs that we already cancelled (or that are completing
anyway).
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20230503140142.474404-1-kwolf@redhat.com>
---
blockdev.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/blockdev.c b/blockdev.c
index d7b5c18f0a..2c1752a403 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -153,12 +153,22 @@ void blockdev_mark_auto_del(BlockBackend *blk)
JOB_LOCK_GUARD();
- for (job = block_job_next_locked(NULL); job;
- job = block_job_next_locked(job)) {
- if (block_job_has_bdrv(job, blk_bs(blk))) {
+ do {
+ job = block_job_next_locked(NULL);
+ while (job && (job->job.cancelled ||
+ job->job.deferred_to_main_loop ||
+ !block_job_has_bdrv(job, blk_bs(blk))))
+ {
+ job = block_job_next_locked(job);
+ }
+ if (job) {
+ /*
+ * This drops the job lock temporarily and polls, so we need to
+ * restart processing the list from the start after this.
+ */
job_cancel_locked(&job->job, false);
}
- }
+ } while (job);
dinfo->auto_del = 1;
}
--
2.40.1
next prev parent reply other threads:[~2023-05-04 19:55 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 19:53 [PATCH v5 00/21] block: remove aio_disable_external() API Stefan Hajnoczi
2023-05-04 19:53 ` Stefan Hajnoczi [this message]
2023-05-04 19:53 ` [PATCH v5 02/21] block-backend: split blk_do_set_aio_context() Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 03/21] hw/qdev: introduce qdev_is_realized() helper Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 04/21] virtio-scsi: avoid race between unplug and transport event Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 05/21] virtio-scsi: stop using aio_disable_external() during unplug Stefan Hajnoczi
2023-05-09 18:55 ` Kevin Wolf
2023-05-09 20:43 ` Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 06/21] util/vhost-user-server: rename refcount to in_flight counter Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 07/21] block/export: wait for vhost-user-blk requests when draining Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 08/21] block/export: stop using is_external in vhost-user-blk server Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 09/21] hw/xen: do not use aio_set_fd_handler(is_external=true) in xen_xenstore Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 10/21] block: add blk_in_drain() API Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 11/21] block: drain from main loop thread in bdrv_co_yield_to_drain() Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 12/21] xen-block: implement BlockDevOps->drained_begin() Stefan Hajnoczi
2023-05-16 14:24 ` Anthony PERARD via
2023-05-16 14:45 ` Anthony PERARD via
2023-05-04 19:53 ` [PATCH v5 13/21] hw/xen: do not set is_external=true on evtchn fds Stefan Hajnoczi
2023-05-16 14:25 ` Anthony PERARD via
2023-05-04 19:53 ` [PATCH v5 14/21] block/export: rewrite vduse-blk drain code Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 15/21] block/export: don't require AioContext lock around blk_exp_ref/unref() Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 16/21] block/fuse: do not set is_external=true on FUSE fd Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 17/21] virtio: make it possible to detach host notifier from any thread Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 18/21] virtio-blk: implement BlockDevOps->drained_begin() Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 19/21] virtio-scsi: " Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 20/21] virtio: do not set is_external=true on host notifiers Stefan Hajnoczi
2023-05-04 19:53 ` [PATCH v5 21/21] aio: remove aio_disable_external() API Stefan Hajnoczi
2023-05-04 21:44 ` [PATCH v5 00/21] block: " Kevin Wolf
2023-05-09 17:51 ` Stefan Hajnoczi
2023-05-09 18:35 ` Kevin Wolf
2023-05-09 19:07 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504195327.695107-2-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=Coiby.Xu@gmail.com \
--cc=anthony.perard@citrix.com \
--cc=berrange@redhat.com \
--cc=dwmw2@infradead.org \
--cc=eduardo@habkost.net \
--cc=eesposit@redhat.com \
--cc=fam@euphon.net \
--cc=hreitz@redhat.com \
--cc=jusual@redhat.com \
--cc=kwolf@redhat.com \
--cc=leobras@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mehta.aaru20@gmail.com \
--cc=mst@redhat.com \
--cc=paul@xen.org \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=pl@kamp.de \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=richard.henderson@linaro.org \
--cc=rjones@redhat.com \
--cc=ronniesahlberg@gmail.com \
--cc=sgarzare@redhat.com \
--cc=sstabellini@kernel.org \
--cc=sw@weilnetz.de \
--cc=xen-devel@lists.xenproject.org \
--cc=xieyongji@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).