From nobody Sun May 5 15:10:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1495854332821226.824893198391; Fri, 26 May 2017 20:05:32 -0700 (PDT) Received: from localhost ([::1]:39277 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dES2j-0007Jw-PK for importer@patchew.org; Fri, 26 May 2017 23:05:29 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59377) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dES1q-0006v4-4g for qemu-devel@nongnu.org; Fri, 26 May 2017 23:04:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dES1p-0001a2-6k for qemu-devel@nongnu.org; Fri, 26 May 2017 23:04:34 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34458) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dES1k-0001Z0-Gt; Fri, 26 May 2017 23:04:28 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B597080F6C; Sat, 27 May 2017 03:04:26 +0000 (UTC) Received: from red.redhat.com (ovpn-120-133.rdu2.redhat.com [10.10.120.133]) by smtp.corp.redhat.com (Postfix) with ESMTP id D9377808C2; Sat, 27 May 2017 03:04:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B597080F6C Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=eblake@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B597080F6C From: Eric Blake To: qemu-devel@nongnu.org Date: Fri, 26 May 2017 22:04:21 -0500 Message-Id: <20170527030421.28366-1-eblake@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Sat, 27 May 2017 03:04:27 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH] nbd: Fully initialize client in case of failed negotiation X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pbonzini@redhat.com, qemu-block@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" If a non-NBD client connects to qemu-nbd, we would end up with a SIGSEGV in nbd_cilent_put() because we were trying to unregister the client's association to the export, even though we skipped inserting the client into that list. Easy trigger in two terminals: $ qemu-nbd -p 30001 --format=3Draw file $ nmap 127.0.0.1 -p 30001 nmap claims that it thinks it connected to a pago-services1 server (which probably means nmap could be updated to learn the NBD protocol and give a more accurate diagnosis of the open port - but that's not our problem), then terminates immediately, so our call to nbd_negotiate() fails. The fix is to reorder nbd_co_client_start() to ensure that all initialization occurs before we ever try talking to a client in nbd_negotiate(), so that the teardown sequence on negotiation failure doesn't fault while dereferencing a half-initialized object. While debugging this, I also noticed that nbd_update_server_watch() called by nbd_client_closed() was still adding a channel to accept the next client, even when the state was no longer RUNNING. That is fixed by making nbd_can_accept() pay attention to the current state. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=3D1451614 Signed-off-by: Eric Blake --- I'm planning to run a bisect to see which patch actually introduced the problem, but wanted to post the patch first to get review started. nbd/server.c | 14 ++++++-------- qemu-nbd.c | 2 +- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/nbd/server.c b/nbd/server.c index 0c4f456..d8dfac8 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -1601,16 +1601,14 @@ static coroutine_fn void nbd_co_client_start(void *= opaque) if (exp) { nbd_export_get(exp); - } - if (nbd_negotiate(data)) { - client_close(client); - goto out; - } - qemu_co_mutex_init(&client->send_lock); - - if (exp) { QTAILQ_INSERT_TAIL(&exp->clients, client, next); } + qemu_co_mutex_init(&client->send_lock); + + if (nbd_negotiate(data)) { + client_close(client); + goto out; + } nbd_client_receive_next_request(client); diff --git a/qemu-nbd.c b/qemu-nbd.c index 27a4e3a..5410854 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -322,7 +322,7 @@ out: static int nbd_can_accept(void) { - return nb_fds < shared; + return state =3D=3D RUNNING && nb_fds < shared; } static void nbd_export_closed(NBDExport *exp) --=20 2.9.4