block/iscsi: fix potential segfault on early callback

Message ID	1402386736-11673-1-git-send-email-pl@kamp.de
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> hbedv: 8.3.20.8/7.11.154.26. spamassassin: 3.4.0. Clear:RC:1(82.141.1.145):SA:0(-1.2/4.0):. Processed in 1.375611 secs); 10 Jun 2014 07:52:49 -0000 From: Peter Lieven <pl@kamp.de> To: qemu-devel@nongnu.org Date: Tue, 10 Jun 2014 09:52:16 +0200 Message-Id: <1402386736-11673-1-git-send-email-pl@kamp.de> Error: Malformed IPv6 address (bad octet value). Cc: kwolf@redhat.com, pbonzini@redhat.com, Peter Lieven <pl@kamp.de>, stefanha@redhat.com Subject: [Qemu-devel] [PATCH] block/iscsi: fix potential segfault on early callback Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

1402386736-11673-1-git-send-email-pl@kamp.de

State

New

Headers

X-GL_Whitelist: yes
Received: from lieven-pc.kamp-intra.net (lieven-pc.kamp-intra.net
	[172.21.12.60])
	by dns.kamp-intra.net (Postfix) with ESMTP id 9F5E720695;
	Tue, 10 Jun 2014 09:52:17 +0200 (CEST)
Received: by lieven-pc.kamp-intra.net (Postfix, from userid 1000)
	id 938945FC70; Tue, 10 Jun 2014 09:52:17 +0200 (CEST)
From: Peter Lieven <pl@kamp.de>
To: qemu-devel@nongnu.org
Date: Tue, 10 Jun 2014 09:52:16 +0200
Message-Id: <1402386736-11673-1-git-send-email-pl@kamp.de>
X-Mailer: git-send-email 1.7.9.5
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a02:248:0:51::16
Cc: kwolf@redhat.com, pbonzini@redhat.com, Peter Lieven <pl@kamp.de>,
	stefanha@redhat.com
Subject: [Qemu-devel] [PATCH] block/iscsi: fix potential segfault on early
	callback
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Peter Lieven June 10, 2014, 7:52 a.m. UTC

it might happen in the future that a function directly invokes its callback.
In this case we end up in a segfault because the iTask is gone when the BH
is scheduled.

Signed-off-by: Peter Lieven <pl@kamp.de>
---
 block/iscsi.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Paolo Bonzini June 10, 2014, 8:08 a.m. UTC | #1

Il 10/06/2014 09:52, Peter Lieven ha scritto:
> it might happen in the future that a function directly invokes its callback.
> In this case we end up in a segfault because the iTask is gone when the BH
> is scheduled.
>
> Signed-off-by: Peter Lieven <pl@kamp.de>
> ---
>  block/iscsi.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/block/iscsi.c b/block/iscsi.c
> index 019b324..4bf4238 100644
> --- a/block/iscsi.c
> +++ b/block/iscsi.c
> @@ -146,6 +146,7 @@ iscsi_schedule_bh(IscsiAIOCB *acb)
>  static void iscsi_co_generic_bh_cb(void *opaque)
>  {
>      struct IscsiTask *iTask = opaque;
> +    iTask->complete = 1;
>      qemu_bh_delete(iTask->bh);
>      qemu_coroutine_enter(iTask->co, NULL);
>  }
> @@ -153,6 +154,7 @@ static void iscsi_co_generic_bh_cb(void *opaque)
>  static void iscsi_retry_timer_expired(void *opaque)
>  {
>      struct IscsiTask *iTask = opaque;
> +    iTask->complete = 1;
>      if (iTask->co) {
>          qemu_coroutine_enter(iTask->co, NULL);
>      }
> @@ -171,7 +173,6 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
>      struct IscsiTask *iTask = opaque;
>      struct scsi_task *task = command_data;
>
> -    iTask->complete = 1;
>      iTask->status = status;
>      iTask->do_retry = 0;
>      iTask->task = task;
> @@ -209,6 +210,8 @@ out:
>          iTask->bh = aio_bh_new(iTask->iscsilun->aio_context,
>                                 iscsi_co_generic_bh_cb, iTask);
>          qemu_bh_schedule(iTask->bh);
> +    } else {
> +        iTask->complete = 1;
>      }
>  }
>
>

Applied, thanks.  I'll leave the nfs patch to Kevin and/or Stefan.

Paolo

Peter Lieven June 10, 2014, 8:14 a.m. UTC | #2

On 10.06.2014 10:08, Paolo Bonzini wrote:
> Il 10/06/2014 09:52, Peter Lieven ha scritto:
>> it might happen in the future that a function directly invokes its callback.
>> In this case we end up in a segfault because the iTask is gone when the BH
>> is scheduled.
>>
>> Signed-off-by: Peter Lieven <pl@kamp.de>
>> ---
>>  block/iscsi.c |    5 ++++-
>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/block/iscsi.c b/block/iscsi.c
>> index 019b324..4bf4238 100644
>> --- a/block/iscsi.c
>> +++ b/block/iscsi.c
>> @@ -146,6 +146,7 @@ iscsi_schedule_bh(IscsiAIOCB *acb)
>>  static void iscsi_co_generic_bh_cb(void *opaque)
>>  {
>>      struct IscsiTask *iTask = opaque;
>> +    iTask->complete = 1;
>>      qemu_bh_delete(iTask->bh);
>>      qemu_coroutine_enter(iTask->co, NULL);
>>  }
>> @@ -153,6 +154,7 @@ static void iscsi_co_generic_bh_cb(void *opaque)
>>  static void iscsi_retry_timer_expired(void *opaque)
>>  {
>>      struct IscsiTask *iTask = opaque;
>> +    iTask->complete = 1;
>>      if (iTask->co) {
>>          qemu_coroutine_enter(iTask->co, NULL);
>>      }
>> @@ -171,7 +173,6 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
>>      struct IscsiTask *iTask = opaque;
>>      struct scsi_task *task = command_data;
>>
>> -    iTask->complete = 1;
>>      iTask->status = status;
>>      iTask->do_retry = 0;
>>      iTask->task = task;
>> @@ -209,6 +210,8 @@ out:
>>          iTask->bh = aio_bh_new(iTask->iscsilun->aio_context,
>>                                 iscsi_co_generic_bh_cb, iTask);
>>          qemu_bh_schedule(iTask->bh);
>> +    } else {
>> +        iTask->complete = 1;
>>      }
>>  }
>>
>>
>
> Applied, thanks.  I'll leave the nfs patch to Kevin and/or Stefan.

Thank you,

Stefan/Kevin I messed up the commit message. Can you please fix when picking up:

---8<---

it will happen in the future that a function directly invokes its callback.
In this case we end up in a segfault because the NFSRPC is gone when we the
BH is scheduled.

--->8---

Thanks,
Peter

diff --git a/block/iscsi.c b/block/iscsi.c
index 019b324..4bf4238 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -146,6 +146,7 @@  iscsi_schedule_bh(IscsiAIOCB *acb)
 static void iscsi_co_generic_bh_cb(void *opaque)
 {
     struct IscsiTask *iTask = opaque;
+    iTask->complete = 1;
     qemu_bh_delete(iTask->bh);
     qemu_coroutine_enter(iTask->co, NULL);
 }
@@ -153,6 +154,7 @@  static void iscsi_co_generic_bh_cb(void *opaque)
 static void iscsi_retry_timer_expired(void *opaque)
 {
     struct IscsiTask *iTask = opaque;
+    iTask->complete = 1;
     if (iTask->co) {
         qemu_coroutine_enter(iTask->co, NULL);
     }
@@ -171,7 +173,6 @@  iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
     struct IscsiTask *iTask = opaque;
     struct scsi_task *task = command_data;
 
-    iTask->complete = 1;
     iTask->status = status;
     iTask->do_retry = 0;
     iTask->task = task;
@@ -209,6 +210,8 @@  out:
         iTask->bh = aio_bh_new(iTask->iscsilun->aio_context,
                                iscsi_co_generic_bh_cb, iTask);
         qemu_bh_schedule(iTask->bh);
+    } else {
+        iTask->complete = 1;
     }
 }

block/iscsi: fix potential segfault on early callback

Commit Message

Comments

Patch