Re: [Qemu-devel] [PATCH] block: Fix race in gluster_finish

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] block: Fix race in gluster_finish_aiocb

From:	Bharata B Rao
Subject:	Re: [Qemu-devel] [PATCH] block: Fix race in gluster_finish_aiocb
Date:	Fri, 23 Aug 2013 13:41:00 +0530
User-agent:	Mutt/1.5.21 (2010-09-15)

On Fri, Aug 23, 2013 at 09:33:21AM +0200, Paolo Bonzini wrote:
> > (gdb) p *bh
> > $1 = {ctx = 0x0, cb = 0x5555555ffdcd <qemu_gluster_aio_bh>, opaque = 
> >     0x7fffd00419c0, next = 0x555556345e70, scheduled = false, idle = false, 
> >   deleted = true}
> 
> This looks like a use-after-free, with bh->ctx corrupted when freeing
> the bottom half.  But it's not at all obvious how it can happen.
> 
> I suggest using MALLOC_PERTURB_=42 to check this theory (if it is
> correct, most fields will be something like 0x2a2a2a2a2a2a2a2a).  But I
> don't see anything clearly wrong in the patch... Thus perhaps it is
> simpler to just remove the unreachable error handling code.

(gdb) p *bh
$1 = {ctx = 0x0, cb = 0x2a2a2a2a2a2a2a2a, opaque = 0x2a2a2a2a2a2a2a2a, next = 
    0x2a2a2a2a2a2a2a2a, scheduled = false, idle = false, deleted = true}

May be as note above, I should just remove the unreachable error handling
code for now.

Regards,
Bharata.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH] block: Fix race in gluster_finish_aiocb, (continued)

Prev by Date: Re: [Qemu-devel] [PATCH 13/18] arch_init: adjust ram_save_setup() for migrate_is_localhost
Next by Date: [Qemu-devel] [PATCH V9 01/15] monitor: avoid use of global *cur_mon in cmd_completion()
Previous by thread: Re: [Qemu-devel] [PATCH] block: Fix race in gluster_finish_aiocb
Next by thread: [Qemu-devel] [PULL 0/3] OpenRISC patch queue for 1.7
Index(es):
- Date
- Thread