From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:45035)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1QJRCl-0007T5-9C
	for qemu-devel@nongnu.org; Mon, 09 May 2011 10:13:00 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1QJRCk-00022p-4w
	for qemu-devel@nongnu.org; Mon, 09 May 2011 10:12:59 -0400
Received: from cantor.suse.de ([195.135.220.2]:48800 helo=mx1.suse.de)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1QJRCj-00022i-Ue
	for qemu-devel@nongnu.org; Mon, 09 May 2011 10:12:58 -0400
Message-ID: <4DC7F668.2060205@suse.de>
Date: Mon, 09 May 2011 16:12:56 +0200
From: Alexander Graf <agraf@suse.de>
MIME-Version: 1.0
References: <4DC6EAB5.4040607@web.de>
In-Reply-To: <4DC6EAB5.4040607@web.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] ahci: crash after duplicate bh registration
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@web.de>
Cc: Kevin Wolf <kwolf@redhat.com>, qemu-devel <qemu-devel@nongnu.org>

On 05/08/2011 09:10 PM, Jan Kiszka wrote:
> Hi Alex,
>
> I've seen crashes caused by ahci_check_cmd_bh unregistering a NULL bh.
> It looks like ahci_dma_set_inactive can a called while there is already
> a bh hanging around. Patch below cures the issue, but I have no clue if
> such an invocation order is valid at all.

It's certainly guest triggerable, so yes, let's check here.

Acked-by: Alexander Graf <agraf@suse.de>


Alex

> Jan
>
> ---
>
> diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
> index e2ed2ad..7870030 100644
> --- a/hw/ide/ahci.c
> +++ b/hw/ide/ahci.c
> @@ -1066,9 +1066,11 @@ static int ahci_dma_set_inactive(IDEDMA *dma)
>
>       ad->dma_cb = NULL;
>
> -    /* maybe we still have something to process, check later */
> -    ad->check_bh = qemu_bh_new(ahci_check_cmd_bh, ad);
> -    qemu_bh_schedule(ad->check_bh);
> +    if (!ad->check_bh) {
> +        /* maybe we still have something to process, check later */
> +        ad->check_bh = qemu_bh_new(ahci_check_cmd_bh, ad);
> +        qemu_bh_schedule(ad->check_bh);
> +    }
>
>       return 0;
>   }
>