[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] f0f810: util/async: hold AioContext ref to pr
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] f0f810: util/async: hold AioContext ref to prevent use-aft... |
|
Date: |
Tue, 27 Aug 2019 02:00:30 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: f0f81002873c06fdef9bb2a272ddfd26af65b851
https://github.com/qemu/qemu/commit/f0f81002873c06fdef9bb2a272ddfd26af65b851
Author: Stefan Hajnoczi <address@hidden>
Date: 2019-08-22 (Thu, 22 Aug 2019)
Changed paths:
M util/async.c
Log Message:
-----------
util/async: hold AioContext ref to prevent use-after-free
The tests/test-bdrv-drain /bdrv-drain/iothread/drain test case does the
following:
1. The preadv coroutine calls aio_bh_schedule_oneshot() and then yields.
2. The one-shot BH executes in another AioContext. All it does is call
aio_co_wakeup(preadv_co).
3. The preadv coroutine is re-entered and returns.
There is a race condition in aio_co_wake() where the preadv coroutine
returns and the test case destroys the preadv IOThread. aio_co_wake()
can still be running in the other AioContext and it performs an access
to the freed IOThread AioContext.
Here is the race in aio_co_schedule():
QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
co, co_scheduled_next);
<-- race: co may execute before we invoke qemu_bh_schedule()!
qemu_bh_schedule(ctx->co_schedule_bh);
So if co causes ctx to be freed then we're in trouble. Fix this problem
by holding a reference to ctx.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Message-id: address@hidden
Message-Id: <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 5d4c1ed3d46d7e2010b389fe5f3376f605182ab0
https://github.com/qemu/qemu/commit/5d4c1ed3d46d7e2010b389fe5f3376f605182ab0
Author: Raphael Norwitz <address@hidden>
Date: 2019-08-22 (Thu, 22 Aug 2019)
Changed paths:
M hw/scsi/vhost-user-scsi.c
Log Message:
-----------
vhost-user-scsi: prevent using uninitialized vqs
Of the 3 virtqueues, seabios only sets cmd, leaving ctrl
and event without a physical address. This can cause
vhost_verify_ring_part_mapping to return ENOMEM, causing
the following logs:
qemu-system-x86_64: Unable to map available ring for ring 0
qemu-system-x86_64: Verify ring failure on region 0
The qemu commit e6cc11d64fc998c11a4dfcde8fda3fc33a74d844
has already resolved the issue for vhost scsi devices but
the fix was never applied to vhost-user scsi devices.
Signed-off-by: Raphael Norwitz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Message-Id: <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Commit: 5428e12d528fcbe31e8a9b236d1359ad52066382
https://github.com/qemu/qemu/commit/5428e12d528fcbe31e8a9b236d1359ad52066382
Author: Peter Maydell <address@hidden>
Date: 2019-08-23 (Fri, 23 Aug 2019)
Changed paths:
M hw/scsi/vhost-user-scsi.c
M util/async.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into
staging
Pull request
# gpg: Signature made Thu 22 Aug 2019 16:52:45 BST
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <address@hidden>" [full]
# gpg: aka "Stefan Hajnoczi <address@hidden>" [full]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
vhost-user-scsi: prevent using uninitialized vqs
util/async: hold AioContext ref to prevent use-after-free
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/586f3dced9f2...5428e12d528f
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] f0f810: util/async: hold AioContext ref to prevent use-aft...,
Peter Maydell <=