From nobody Mon Feb  9 16:51:33 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1503589024735881.3795598676907;
 Thu, 24 Aug 2017 08:37:04 -0700 (PDT)
Received: from localhost ([::1]:49064 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1dkuBr-0007LB-Ii
	for importer@patchew.org; Thu, 24 Aug 2017 11:37:03 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42286)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1dku92-0004xU-Ez
	for qemu-devel@nongnu.org; Thu, 24 Aug 2017 11:34:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1dku91-0000Bz-ES
	for qemu-devel@nongnu.org; Thu, 24 Aug 2017 11:34:08 -0400
Received: from mx1.redhat.com ([209.132.183.28]:33220)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <stefanha@redhat.com>)
	id 1dku8y-0000Ad-OK; Thu, 24 Aug 2017 11:34:04 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
	[10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id B1BE986647;
	Thu, 24 Aug 2017 15:34:03 +0000 (UTC)
Received: from localhost (ovpn-116-96.ams2.redhat.com [10.36.116.96])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2CD4E5D736;
	Thu, 24 Aug 2017 15:33:59 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B1BE986647
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
	spf=fail smtp.mailfrom=stefanha@redhat.com
From: Stefan Hajnoczi <stefanha@redhat.com>
To: <qemu-devel@nongnu.org>
Date: Thu, 24 Aug 2017 16:33:43 +0100
Message-Id: <20170824153345.2244-2-stefanha@redhat.com>
In-Reply-To: <20170824153345.2244-1-stefanha@redhat.com>
References: <20170824153345.2244-1-stefanha@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.26]);
	Thu, 24 Aug 2017 15:34:03 +0000 (UTC)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 209.132.183.28
Subject: [Qemu-devel] [PATCH 1/3] nbd-client: enter read_reply_co during
 init to avoid crash
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Kevin Wolf <kwolf@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>, qemu-block@nongnu.org
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

The following segfault is encountered if the NBD server closes the UNIX
domain socket immediately after negotiation:

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  aio_co_schedule (ctx=3D0x0, co=3D0xd3c0ff2ef0) at util/async.c:441
  441	    QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
  (gdb) bt
  #0  0x000000d3c01a50f8 in aio_co_schedule (ctx=3D0x0, co=3D0xd3c0ff2ef0) =
at util/async.c:441
  #1  0x000000d3c012fa90 in nbd_coroutine_end (bs=3Dbs@entry=3D0xd3c0fec650=
, request=3D<optimized out>) at block/nbd-client.c:207
  #2  0x000000d3c012fb58 in nbd_client_co_preadv (bs=3D0xd3c0fec650, offset=
=3D0, bytes=3D<optimized out>, qiov=3D0x7ffc10a91b20, flags=3D0) at block/n=
bd-client.c:237
  #3  0x000000d3c0128e63 in bdrv_driver_preadv (bs=3Dbs@entry=3D0xd3c0fec65=
0, offset=3Doffset@entry=3D0, bytes=3Dbytes@entry=3D512, qiov=3Dqiov@entry=
=3D0x7ffc10a91b20, flags=3D0) at block/io.c:836
  #4  0x000000d3c012c3e0 in bdrv_aligned_preadv (child=3Dchild@entry=3D0xd3=
c0ff51d0, req=3Dreq@entry=3D0x7f31885d6e90, offset=3Doffset@entry=3D0, byte=
s=3Dbytes@entry=3D512, align=3Dalign@entry=3D1, qiov=3Dqiov@entry=3D0x7ffc1=
0a91b20, flags=3D0) at block/io.c:1086
  #5  0x000000d3c012c6b8 in bdrv_co_preadv (child=3D0xd3c0ff51d0, offset=3D=
offset@entry=3D0, bytes=3Dbytes@entry=3D512, qiov=3Dqiov@entry=3D0x7ffc10a9=
1b20, flags=3Dflags@entry=3D0) at block/io.c:1182
  #6  0x000000d3c011cc17 in blk_co_preadv (blk=3D0xd3c0ff4f80, offset=3D0, =
bytes=3D512, qiov=3D0x7ffc10a91b20, flags=3D0) at block/block-backend.c:1032
  #7  0x000000d3c011ccec in blk_read_entry (opaque=3D0x7ffc10a91b40) at blo=
ck/block-backend.c:1079
  #8  0x000000d3c01bbb96 in coroutine_trampoline (i0=3D<optimized out>, i1=
=3D<optimized out>) at util/coroutine-ucontext.c:79
  #9  0x00007f3196cb8600 in __start_context () at /lib64/libc.so.6

The problem is that nbd_client_init() uses
nbd_client_attach_aio_context() -> aio_co_schedule(new_context,
client->read_reply_co).  Execution of read_reply_co is deferred to a BH
which doesn't run until later.

In the mean time blk_co_preadv() can be called and nbd_coroutine_end()
calls aio_wake() on read_reply_co.  At this point in time
read_reply_co's ctx isn't set because it has never been entered yet.

This patch enters read_reply_co directly in
nbd_client_attach_aio_context().  This is safe because new_context is
acquired by the caller.  This ensures that read_reply_co reaches its
first yield point and its ctx is set up.

Note this only happens with UNIX domain sockets on Linux.  It doesn't
seem possible to reproduce this with TCP sockets.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/nbd-client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/nbd-client.c b/block/nbd-client.c
index 25bcaa2346..0a7f32779e 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -371,7 +371,7 @@ void nbd_client_attach_aio_context(BlockDriverState *bs,
 {
     NBDClientSession *client =3D nbd_get_client_session(bs);
     qio_channel_attach_aio_context(QIO_CHANNEL(client->ioc), new_context);
-    aio_co_schedule(new_context, client->read_reply_co);
+    qemu_aio_coroutine_enter(new_context, client->read_reply_co);
 }
=20
 void nbd_client_close(BlockDriverState *bs)
--=20
2.13.5