Re: [PATCH] migration/rdma: Fix cm event use after free
* Dr. David Alan Gilbert (dgilb...@redhat.com) wrote:
> * Li Zhijian (lizhij...@cn.fujitsu.com) wrote:
> > Signed-off-by: Li Zhijian
>
> Thanks! I don't think I understood that 'ack' actually meant 'free'!
>
> Reviewed-by: Dr. David Alan Gilbert
Queued
>
> > ---
> > migration/rdma.c | 11 ---
> > 1 file changed, 8 insertions(+), 3 deletions(-)
> >
> > diff --git a/migration/rdma.c b/migration/rdma.c
> > index 1cdb4561f32..d90b29a4b51 100644
> > --- a/migration/rdma.c
> > +++ b/migration/rdma.c
> > @@ -1539,16 +1539,20 @@ static int qemu_rdma_wait_comp_channel(RDMAContext
> > *rdma)
> >
> > if (pfds[1].revents) {
> > ret = rdma_get_cm_event(rdma->channel, _event);
> > -if (!ret) {
> > -rdma_ack_cm_event(cm_event);
> > +if (ret) {
> > +error_report("failed to get cm event while wait "
> > + "completion channel");
> > +return -EPIPE;
> > }
> >
> > error_report("receive cm event while wait comp
> > channel,"
> > "cm event is %d", cm_event->event);
> > if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
> > cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
> > +rdma_ack_cm_event(cm_event);
> > return -EPIPE;
> > }
> > +rdma_ack_cm_event(cm_event);
> > }
> > break;
> >
> > @@ -3285,7 +3289,6 @@ static void rdma_cm_poll_handler(void *opaque)
> > error_report("get_cm_event failed %d", errno);
> > return;
> > }
> > -rdma_ack_cm_event(cm_event);
> >
> > if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
> > cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
> > @@ -3298,12 +3301,14 @@ static void rdma_cm_poll_handler(void *opaque)
> > rdma->return_path->error_state = -EPIPE;
> > }
> > }
> > +rdma_ack_cm_event(cm_event);
> >
> > if (mis->migration_incoming_co) {
> > qemu_coroutine_enter(mis->migration_incoming_co);
> > }
> > return;
> > }
> > +rdma_ack_cm_event(cm_event);
> > }
> >
> > static int qemu_rdma_accept(RDMAContext *rdma)
> > --
> > 2.30.2
> >
> >
> >
> --
> Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
>
>
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
Re: [PATCH] migration/rdma: Fix cm event use after free
* Li Zhijian (lizhij...@cn.fujitsu.com) wrote:
> Signed-off-by: Li Zhijian
Thanks! I don't think I understood that 'ack' actually meant 'free'!
Reviewed-by: Dr. David Alan Gilbert
> ---
> migration/rdma.c | 11 ---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/migration/rdma.c b/migration/rdma.c
> index 1cdb4561f32..d90b29a4b51 100644
> --- a/migration/rdma.c
> +++ b/migration/rdma.c
> @@ -1539,16 +1539,20 @@ static int qemu_rdma_wait_comp_channel(RDMAContext
> *rdma)
>
> if (pfds[1].revents) {
> ret = rdma_get_cm_event(rdma->channel, _event);
> -if (!ret) {
> -rdma_ack_cm_event(cm_event);
> +if (ret) {
> +error_report("failed to get cm event while wait "
> + "completion channel");
> +return -EPIPE;
> }
>
> error_report("receive cm event while wait comp channel,"
> "cm event is %d", cm_event->event);
> if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
> cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
> +rdma_ack_cm_event(cm_event);
> return -EPIPE;
> }
> +rdma_ack_cm_event(cm_event);
> }
> break;
>
> @@ -3285,7 +3289,6 @@ static void rdma_cm_poll_handler(void *opaque)
> error_report("get_cm_event failed %d", errno);
> return;
> }
> -rdma_ack_cm_event(cm_event);
>
> if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
> cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
> @@ -3298,12 +3301,14 @@ static void rdma_cm_poll_handler(void *opaque)
> rdma->return_path->error_state = -EPIPE;
> }
> }
> +rdma_ack_cm_event(cm_event);
>
> if (mis->migration_incoming_co) {
> qemu_coroutine_enter(mis->migration_incoming_co);
> }
> return;
> }
> +rdma_ack_cm_event(cm_event);
> }
>
> static int qemu_rdma_accept(RDMAContext *rdma)
> --
> 2.30.2
>
>
>
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
[PATCH] migration/rdma: Fix cm event use after free
Signed-off-by: Li Zhijian
---
migration/rdma.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/migration/rdma.c b/migration/rdma.c
index 1cdb4561f32..d90b29a4b51 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -1539,16 +1539,20 @@ static int qemu_rdma_wait_comp_channel(RDMAContext
*rdma)
if (pfds[1].revents) {
ret = rdma_get_cm_event(rdma->channel, _event);
-if (!ret) {
-rdma_ack_cm_event(cm_event);
+if (ret) {
+error_report("failed to get cm event while wait "
+ "completion channel");
+return -EPIPE;
}
error_report("receive cm event while wait comp channel,"
"cm event is %d", cm_event->event);
if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
+rdma_ack_cm_event(cm_event);
return -EPIPE;
}
+rdma_ack_cm_event(cm_event);
}
break;
@@ -3285,7 +3289,6 @@ static void rdma_cm_poll_handler(void *opaque)
error_report("get_cm_event failed %d", errno);
return;
}
-rdma_ack_cm_event(cm_event);
if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
@@ -3298,12 +3301,14 @@ static void rdma_cm_poll_handler(void *opaque)
rdma->return_path->error_state = -EPIPE;
}
}
+rdma_ack_cm_event(cm_event);
if (mis->migration_incoming_co) {
qemu_coroutine_enter(mis->migration_incoming_co);
}
return;
}
+rdma_ack_cm_event(cm_event);
}
static int qemu_rdma_accept(RDMAContext *rdma)
--
2.30.2
