| Message ID | 20220203163024.38913-4-hreitz@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | block/nbd: Move s->ioc on AioContext change | expand |
03.02.2022 19:30, Hanna Reitz wrote: > Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or > they will access freed data when they fire. > > This patch is separate from the patches that actually fix the issue > (HEAD^^ and HEAD^) so that you can run the associated regression iotest > (281) on a configuration that reproducibly exposes the bug. > > Signed-off-by: Hanna Reitz<hreitz@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
diff --git a/block/nbd.c b/block/nbd.c index 5ff8a57314..dc6c3f3bbc 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -110,6 +110,10 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs) yank_unregister_instance(BLOCKDEV_YANK_INSTANCE(bs->node_name)); + /* Must not leave timers behind that would access freed data */ + assert(!s->reconnect_delay_timer); + assert(!s->open_timer); + object_unref(OBJECT(s->tlscreds)); qapi_free_SocketAddress(s->saddr); s->saddr = NULL;
Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or they will access freed data when they fire. This patch is separate from the patches that actually fix the issue (HEAD^^ and HEAD^) so that you can run the associated regression iotest (281) on a configuration that reproducibly exposes the bug. Signed-off-by: Hanna Reitz <hreitz@redhat.com> --- block/nbd.c | 4 ++++ 1 file changed, 4 insertions(+)