From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, richard.henderson@linaro.org, qemu-devel@nongnu.org
Subject: [PULL 04/28] block: Fix use after free in blockdev_mark_auto_del()
Date: Wed, 10 May 2023 14:20:47 +0200 [thread overview]
Message-ID: <20230510122111.46566-5-kwolf@redhat.com> (raw)
In-Reply-To: <20230510122111.46566-1-kwolf@redhat.com>
job_cancel_locked() drops the job list lock temporarily and it may call
aio_poll(). We must assume that the list has changed after this call.
Also, with unlucky timing, it can end up freeing the job during
job_completed_txn_abort_locked(), making the job pointer invalid, too.
For both reasons, we can't just continue at block_job_next_locked(job).
Instead, start at the head of the list again after job_cancel_locked()
and skip those jobs that we already cancelled (or that are completing
anyway).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20230503140142.474404-1-kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
blockdev.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/blockdev.c b/blockdev.c
index d7b5c18f0a..2c1752a403 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -153,12 +153,22 @@ void blockdev_mark_auto_del(BlockBackend *blk)
JOB_LOCK_GUARD();
- for (job = block_job_next_locked(NULL); job;
- job = block_job_next_locked(job)) {
- if (block_job_has_bdrv(job, blk_bs(blk))) {
+ do {
+ job = block_job_next_locked(NULL);
+ while (job && (job->job.cancelled ||
+ job->job.deferred_to_main_loop ||
+ !block_job_has_bdrv(job, blk_bs(blk))))
+ {
+ job = block_job_next_locked(job);
+ }
+ if (job) {
+ /*
+ * This drops the job lock temporarily and polls, so we need to
+ * restart processing the list from the start after this.
+ */
job_cancel_locked(&job->job, false);
}
- }
+ } while (job);
dinfo->auto_del = 1;
}
--
2.40.1
next prev parent reply other threads:[~2023-05-10 12:23 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-10 12:20 [PULL 00/28] Block layer patches Kevin Wolf
2023-05-10 12:20 ` [PULL 01/28] block: add configure options for excluding vmdk, vhdx and vpc Kevin Wolf
2023-05-10 12:20 ` [PULL 02/28] block: add missing coroutine_fn annotations Kevin Wolf
2023-05-10 12:20 ` [PULL 03/28] aio-wait: avoid AioContext lock in aio_wait_bh_oneshot() Kevin Wolf
2023-05-10 12:20 ` Kevin Wolf [this message]
2023-05-10 12:20 ` [PULL 05/28] iotests/nbd-reconnect-on-open: Fix NBD socket path Kevin Wolf
2023-05-10 12:20 ` [PULL 06/28] migration: Attempt disk reactivation in more failure scenarios Kevin Wolf
2023-05-10 12:20 ` [PULL 07/28] qcow2: Don't call bdrv_getlength() in coroutine_fns Kevin Wolf
2023-05-10 12:20 ` [PULL 08/28] block: Consistently call bdrv_activate() outside coroutine Kevin Wolf
2023-05-10 12:20 ` [PULL 09/28] block: bdrv/blk_co_unref() for calls in coroutine context Kevin Wolf
2023-05-11 15:32 ` Michael Tokarev
2023-05-15 13:07 ` Kevin Wolf
2023-05-15 14:25 ` Michael Tokarev
2023-05-10 12:20 ` [PULL 10/28] block: Don't call no_coroutine_fns in qmp_block_resize() Kevin Wolf
2023-05-10 12:20 ` [PULL 11/28] iotests: Test resizing image attached to an iothread Kevin Wolf
2023-05-10 12:20 ` [PULL 12/28] test-bdrv-drain: Don't modify the graph in coroutines Kevin Wolf
2023-05-10 12:20 ` [PULL 13/28] graph-lock: Add GRAPH_UNLOCKED(_PTR) Kevin Wolf
2023-05-10 12:20 ` [PULL 14/28] graph-lock: Fix GRAPH_RDLOCK_GUARD*() to be reader lock Kevin Wolf
2023-05-10 12:20 ` [PULL 15/28] block: .bdrv_open is non-coroutine and unlocked Kevin Wolf
2023-05-10 12:20 ` [PULL 16/28] nbd: Remove nbd_co_flush() wrapper function Kevin Wolf
2023-05-10 12:21 ` [PULL 17/28] nbd: Mark nbd_co_do_establish_connection() and callers GRAPH_RDLOCK Kevin Wolf
2023-05-10 12:21 ` [PULL 18/28] vhdx: Require GRAPH_RDLOCK for accessing a node's parent list Kevin Wolf
2023-05-10 12:21 ` [PULL 19/28] mirror: " Kevin Wolf
2023-05-10 12:21 ` [PULL 20/28] block: Mark bdrv_co_get_allocated_file_size() and callers GRAPH_RDLOCK Kevin Wolf
2023-05-10 12:21 ` [PULL 21/28] block: Mark bdrv_co_get_info() " Kevin Wolf
2023-05-10 12:21 ` [PULL 22/28] block: Mark bdrv_co_debug_event() GRAPH_RDLOCK Kevin Wolf
2023-05-10 12:21 ` [PULL 23/28] block: Mark BlockDriver callbacks for amend job GRAPH_RDLOCK Kevin Wolf
2023-05-10 12:21 ` [PULL 24/28] block: Mark bdrv_query_bds_stats() and callers GRAPH_RDLOCK Kevin Wolf
2023-05-10 12:21 ` [PULL 25/28] block: Mark bdrv_query_block_graph_info() " Kevin Wolf
2023-05-10 12:21 ` [PULL 26/28] block: Mark bdrv_recurse_can_replace() " Kevin Wolf
2023-05-10 12:21 ` [PULL 27/28] block: Mark bdrv_refresh_limits() " Kevin Wolf
2023-05-10 12:21 ` [PULL 28/28] block: compile out assert_bdrv_graph_readable() by default Kevin Wolf
2023-05-10 15:42 ` [PULL 00/28] Block layer patches Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230510122111.46566-5-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).