Re: [Qemu-devel] [PATCH v2] virtio-blk: drain block before cleanup

Wed, 14 Jun 2017 02:21:16 -0700 

On Tue, Jun 13, 2017 at 12:35:21PM +0200, Gioh Kim wrote:
> I'd like to report one use-after-free problem which is found by 
> AddressSanitizer.
> My company provides virtualization server with Qemu-2.7.

I have tried the following but was unable to reproduce a segfault.
Please reproduce this issue with qemu.git/master and post the steps:

  $ qemu -M accel=kvm -cpu host -m 1G \
         -drive if=none,id=drive0,file=test.img,format=raw \
         -device virtio-blk-pci,drive=drive0,id=virtio-blk-pci0 \
         -drive 
if=none,id=drive1,file.driver=null-co,file.read-zeroes=on,file.latency-ns=5000000000,format=raw
 \
         -device virtio-blk-pci,drive=drive1,id=virtio-blk-pci1 \
         -d trace:virtio_blk_\*

First I just wanted to see what happens when system_reset is invoked
while a request is in flight:

  guest$ dd if=/dev/vdb of=/dev/null iflag=direct bs=512 count=1
  (qemu) system_reset
  9491@1497430655.149154:virtio_blk_handle_read vdev 0x62d00006c910 req 
0x611000b07880 sector 0 nsectors 1
  > virtio_pci_reset vdev 0x62d00006c910
  9491@1497430656.061027:virtio_blk_data_plane_stop dataplane 0x606000096c80
  9491@1497430660.152620:virtio_blk_rw_complete vdev 0x62d00006c910 req 
0x611000b07880 ret 0
  9491@1497430660.152665:virtio_blk_req_complete vdev 0x62d00006c910 req 
0x611000b07880 status 0
  > virtio_blk_reset vdev 0x62d00006c910

Requests are drained in virtio_blk_data_plane_stop() and again in
virtio_blk_reset() so in-flight requests will exist across system_reset.

Next I tried what you suggested:

  guest$ dd if=/dev/vdb of=/dev/null iflag=direct bs=512 count=1
  (qemu) device_del virtio-blk-pci1
  (qemu) system_reset
  9491@1497431041.871223:virtio_blk_handle_read vdev 0x62d00006c910 req 
0x611001464040 sector 0 nsectors 1
  9491@1497431044.094051:virtio_blk_data_plane_stop dataplane 0x606000096c80
  9491@1497431046.874215:virtio_blk_rw_complete vdev 0x62d00006c910 req 
0x611001464040 ret 0
  9491@1497431046.874256:virtio_blk_req_complete vdev 0x62d00006c910 req 
0x611001464040 status 0

The request was also drained by virtio_blk_data_plane_stop().

(I added the vdev parameter to the trace events to make it easy to
identify the virtio-blk device that a request belongs to.  I will send a
patch to qemu-devel.)

Stefan

Attachment: signature.asc
Description: PGP signature

Reply via email to