1 | The following changes since commit 013a18edbbc59cdad019100c7d03c0494642b74c: | 1 | The following changes since commit 661c2e1ab29cd9c4d268ae3f44712e8d421c0e56: |
---|---|---|---|
2 | 2 | ||
3 | Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-2020051= | 3 | scripts/checkpatch: Fix a typo (2025-03-04 09:30:26 +0800) |
4 | 4' into staging (2020-05-14 16:17:55 +0100) | ||
5 | 4 | ||
6 | are available in the Git repository at: | 5 | are available in the Git repository at: |
7 | 6 | ||
8 | https://github.com/stefanha/qemu.git tags/block-pull-request | 7 | https://gitlab.com/stefanha/qemu.git tags/block-pull-request |
9 | 8 | ||
10 | for you to fetch changes up to ba607ca8bff4d2c2062902f8355657c865ac7c29: | 9 | for you to fetch changes up to 2ad638a3d160923ef3dbf87c73944e6e44bdc724: |
11 | 10 | ||
12 | aio-posix: disable fdmon-io_uring when GSource is used (2020-05-18 18:16:00= | 11 | block/qed: fix use-after-free by nullifying timer pointer after free (2025-03-06 10:19:54 +0800) |
13 | +0100) | ||
14 | 12 | ||
15 | ---------------------------------------------------------------- | 13 | ---------------------------------------------------------------- |
16 | Pull request | 14 | Pull request |
17 | 15 | ||
16 | QED need_check_timer use-after-free fix | ||
17 | |||
18 | ---------------------------------------------------------------- | 18 | ---------------------------------------------------------------- |
19 | 19 | ||
20 | Philippe Mathieu-Daud=C3=A9 (6): | 20 | Denis Rastyogin (1): |
21 | tests/fuzz/Makefile: Do not link code using unavailable devices | 21 | block/qed: fix use-after-free by nullifying timer pointer after free |
22 | Makefile: List fuzz targets in 'make help' | ||
23 | tests/fuzz: Add missing space in test description | ||
24 | tests/fuzz: Remove unuseful/unused typedefs | ||
25 | tests/fuzz: Extract pciconfig_fuzz_qos() method | ||
26 | tests/fuzz: Extract ioport_fuzz_qtest() method | ||
27 | 22 | ||
28 | Stefan Hajnoczi (2): | 23 | block/qed.c | 1 + |
29 | aio-posix: don't duplicate fd handler deletion in | 24 | 1 file changed, 1 insertion(+) |
30 | fdmon_io_uring_destroy() | ||
31 | aio-posix: disable fdmon-io_uring when GSource is used | ||
32 | 25 | ||
33 | Makefile | 6 +++- | 26 | -- |
34 | tests/qtest/fuzz/Makefile.include | 6 ++-- | 27 | 2.48.1 |
35 | include/block/aio.h | 3 ++ | ||
36 | tests/qtest/fuzz/i440fx_fuzz.c | 47 ++++++++++++++++++++----------- | ||
37 | util/aio-posix.c | 13 +++++++++ | ||
38 | util/aio-win32.c | 4 +++ | ||
39 | util/async.c | 1 + | ||
40 | util/fdmon-io_uring.c | 13 +++++++-- | ||
41 | 8 files changed, 69 insertions(+), 24 deletions(-) | ||
42 | |||
43 | --=20 | ||
44 | 2.25.3 | ||
45 | diff view generated by jsdifflib |
Deleted patch | |||
---|---|---|---|
1 | From: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2 | 1 | ||
3 | Some devices availability depends on CONFIG options. | ||
4 | Use these options to only link tests when requested device | ||
5 | is available. | ||
6 | |||
7 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
8 | Message-id: 20200514143433.18569-2-philmd@redhat.com | ||
9 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
10 | --- | ||
11 | tests/qtest/fuzz/Makefile.include | 6 +++--- | ||
12 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
13 | |||
14 | diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include | ||
15 | index XXXXXXX..XXXXXXX 100644 | ||
16 | --- a/tests/qtest/fuzz/Makefile.include | ||
17 | +++ b/tests/qtest/fuzz/Makefile.include | ||
18 | @@ -XXX,XX +XXX,XX @@ fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o | ||
19 | fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o | ||
20 | |||
21 | # Targets | ||
22 | -fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o | ||
23 | -fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o | ||
24 | -fuzz-obj-y += tests/qtest/fuzz/virtio_scsi_fuzz.o | ||
25 | +fuzz-obj-$(CONFIG_PCI_I440FX) += tests/qtest/fuzz/i440fx_fuzz.o | ||
26 | +fuzz-obj-$(CONFIG_VIRTIO_NET) += tests/qtest/fuzz/virtio_net_fuzz.o | ||
27 | +fuzz-obj-$(CONFIG_SCSI) += tests/qtest/fuzz/virtio_scsi_fuzz.o | ||
28 | |||
29 | FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest | ||
30 | |||
31 | -- | ||
32 | 2.25.3 | ||
33 | diff view generated by jsdifflib |
Deleted patch | |||
---|---|---|---|
1 | From: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2 | 1 | ||
3 | List softmmu fuzz targets in 'make help' output: | ||
4 | |||
5 | $ make help | ||
6 | ... | ||
7 | Architecture specific targets: | ||
8 | aarch64-softmmu/all - Build for aarch64-softmmu | ||
9 | aarch64-softmmu/fuzz - Build fuzzer for aarch64-softmmu | ||
10 | alpha-softmmu/all - Build for alpha-softmmu | ||
11 | alpha-softmmu/fuzz - Build fuzzer for alpha-softmmu | ||
12 | arm-softmmu/all - Build for arm-softmmu | ||
13 | arm-softmmu/fuzz - Build fuzzer for arm-softmmu | ||
14 | ... | ||
15 | |||
16 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
17 | Message-id: 20200514143433.18569-3-philmd@redhat.com | ||
18 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
19 | --- | ||
20 | Makefile | 6 +++++- | ||
21 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/Makefile b/Makefile | ||
24 | index XXXXXXX..XXXXXXX 100644 | ||
25 | --- a/Makefile | ||
26 | +++ b/Makefile | ||
27 | @@ -XXX,XX +XXX,XX @@ endif | ||
28 | @$(if $(TARGET_DIRS), \ | ||
29 | echo 'Architecture specific targets:'; \ | ||
30 | $(foreach t, $(TARGET_DIRS), \ | ||
31 | - $(call print-help-run,$(t)/all,Build for $(t));) \ | ||
32 | + $(call print-help-run,$(t)/all,Build for $(t)); \ | ||
33 | + $(if $(CONFIG_FUZZ), \ | ||
34 | + $(if $(findstring softmmu,$(t)), \ | ||
35 | + $(call print-help-run,$(t)/fuzz,Build fuzzer for $(t)); \ | ||
36 | + ))) \ | ||
37 | echo '') | ||
38 | @$(if $(TOOLS), \ | ||
39 | echo 'Tools targets:'; \ | ||
40 | -- | ||
41 | 2.25.3 | ||
42 | diff view generated by jsdifflib |
Deleted patch | |||
---|---|---|---|
1 | From: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2 | 1 | ||
3 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
4 | Message-id: 20200514143433.18569-4-philmd@redhat.com | ||
5 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
6 | --- | ||
7 | tests/qtest/fuzz/i440fx_fuzz.c | 6 +++--- | ||
8 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
9 | |||
10 | diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c | ||
11 | index XXXXXXX..XXXXXXX 100644 | ||
12 | --- a/tests/qtest/fuzz/i440fx_fuzz.c | ||
13 | +++ b/tests/qtest/fuzz/i440fx_fuzz.c | ||
14 | @@ -XXX,XX +XXX,XX @@ static void register_pci_fuzz_targets(void) | ||
15 | /* Uses simple qtest commands and reboots to reset state */ | ||
16 | fuzz_add_target(&(FuzzTarget){ | ||
17 | .name = "i440fx-qtest-reboot-fuzz", | ||
18 | - .description = "Fuzz the i440fx using raw qtest commands and" | ||
19 | + .description = "Fuzz the i440fx using raw qtest commands and " | ||
20 | "rebooting after each run", | ||
21 | .get_init_cmdline = i440fx_argv, | ||
22 | .fuzz = i440fx_fuzz_qtest}); | ||
23 | @@ -XXX,XX +XXX,XX @@ static void register_pci_fuzz_targets(void) | ||
24 | /* Uses libqos and forks to prevent state leakage */ | ||
25 | fuzz_add_qos_target(&(FuzzTarget){ | ||
26 | .name = "i440fx-qos-fork-fuzz", | ||
27 | - .description = "Fuzz the i440fx using raw qtest commands and" | ||
28 | + .description = "Fuzz the i440fx using raw qtest commands and " | ||
29 | "rebooting after each run", | ||
30 | .pre_vm_init = &fork_init, | ||
31 | .fuzz = i440fx_fuzz_qos_fork,}, | ||
32 | @@ -XXX,XX +XXX,XX @@ static void register_pci_fuzz_targets(void) | ||
33 | */ | ||
34 | fuzz_add_qos_target(&(FuzzTarget){ | ||
35 | .name = "i440fx-qos-noreset-fuzz", | ||
36 | - .description = "Fuzz the i440fx using raw qtest commands and" | ||
37 | + .description = "Fuzz the i440fx using raw qtest commands and " | ||
38 | "rebooting after each run", | ||
39 | .fuzz = i440fx_fuzz_qos,}, | ||
40 | "i440FX-pcihost", | ||
41 | -- | ||
42 | 2.25.3 | ||
43 | diff view generated by jsdifflib |
Deleted patch | |||
---|---|---|---|
1 | From: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2 | 1 | ||
3 | These typedefs are not used. Use a simple structure, | ||
4 | remote the typedefs. | ||
5 | |||
6 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
7 | Message-id: 20200514143433.18569-5-philmd@redhat.com | ||
8 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
9 | --- | ||
10 | tests/qtest/fuzz/i440fx_fuzz.c | 10 ++++------ | ||
11 | 1 file changed, 4 insertions(+), 6 deletions(-) | ||
12 | |||
13 | diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c | ||
14 | index XXXXXXX..XXXXXXX 100644 | ||
15 | --- a/tests/qtest/fuzz/i440fx_fuzz.c | ||
16 | +++ b/tests/qtest/fuzz/i440fx_fuzz.c | ||
17 | @@ -XXX,XX +XXX,XX @@ static void i440fx_fuzz_qtest(QTestState *s, | ||
18 | * loop over the Data, breaking it up into actions. each action has an | ||
19 | * opcode, address offset and value | ||
20 | */ | ||
21 | - typedef struct QTestFuzzAction { | ||
22 | + struct { | ||
23 | uint8_t opcode; | ||
24 | uint8_t addr; | ||
25 | uint32_t value; | ||
26 | - } QTestFuzzAction; | ||
27 | - QTestFuzzAction a; | ||
28 | + } a; | ||
29 | |||
30 | while (Size >= sizeof(a)) { | ||
31 | /* make a copy of the action so we can normalize the values in-place */ | ||
32 | @@ -XXX,XX +XXX,XX @@ static void i440fx_fuzz_qos(QTestState *s, | ||
33 | * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the | ||
34 | * value written over Port IO | ||
35 | */ | ||
36 | - typedef struct QOSFuzzAction { | ||
37 | + struct { | ||
38 | uint8_t opcode; | ||
39 | uint8_t offset; | ||
40 | int devfn; | ||
41 | uint32_t value; | ||
42 | - } QOSFuzzAction; | ||
43 | + } a; | ||
44 | |||
45 | static QPCIBus *bus; | ||
46 | if (!bus) { | ||
47 | bus = qpci_new_pc(s, fuzz_qos_alloc); | ||
48 | } | ||
49 | |||
50 | - QOSFuzzAction a; | ||
51 | while (Size >= sizeof(a)) { | ||
52 | memcpy(&a, Data, sizeof(a)); | ||
53 | switch (a.opcode % ACTION_MAX) { | ||
54 | -- | ||
55 | 2.25.3 | ||
56 | diff view generated by jsdifflib |
Deleted patch | |||
---|---|---|---|
1 | From: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2 | 1 | ||
3 | Extract the generic pciconfig_fuzz_qos() method from | ||
4 | i440fx_fuzz_qos(). This will help to write tests not | ||
5 | specific to the i440FX controller. | ||
6 | |||
7 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
8 | Message-id: 20200514143433.18569-6-philmd@redhat.com | ||
9 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
10 | --- | ||
11 | tests/qtest/fuzz/i440fx_fuzz.c | 20 ++++++++++++++------ | ||
12 | 1 file changed, 14 insertions(+), 6 deletions(-) | ||
13 | |||
14 | diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c | ||
15 | index XXXXXXX..XXXXXXX 100644 | ||
16 | --- a/tests/qtest/fuzz/i440fx_fuzz.c | ||
17 | +++ b/tests/qtest/fuzz/i440fx_fuzz.c | ||
18 | @@ -XXX,XX +XXX,XX @@ static void i440fx_fuzz_qtest(QTestState *s, | ||
19 | flush_events(s); | ||
20 | } | ||
21 | |||
22 | -static void i440fx_fuzz_qos(QTestState *s, | ||
23 | +static void pciconfig_fuzz_qos(QTestState *s, QPCIBus *bus, | ||
24 | const unsigned char *Data, size_t Size) { | ||
25 | /* | ||
26 | * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the | ||
27 | @@ -XXX,XX +XXX,XX @@ static void i440fx_fuzz_qos(QTestState *s, | ||
28 | uint32_t value; | ||
29 | } a; | ||
30 | |||
31 | - static QPCIBus *bus; | ||
32 | - if (!bus) { | ||
33 | - bus = qpci_new_pc(s, fuzz_qos_alloc); | ||
34 | - } | ||
35 | - | ||
36 | while (Size >= sizeof(a)) { | ||
37 | memcpy(&a, Data, sizeof(a)); | ||
38 | switch (a.opcode % ACTION_MAX) { | ||
39 | @@ -XXX,XX +XXX,XX @@ static void i440fx_fuzz_qos(QTestState *s, | ||
40 | flush_events(s); | ||
41 | } | ||
42 | |||
43 | +static void i440fx_fuzz_qos(QTestState *s, | ||
44 | + const unsigned char *Data, | ||
45 | + size_t Size) | ||
46 | +{ | ||
47 | + static QPCIBus *bus; | ||
48 | + | ||
49 | + if (!bus) { | ||
50 | + bus = qpci_new_pc(s, fuzz_qos_alloc); | ||
51 | + } | ||
52 | + | ||
53 | + pciconfig_fuzz_qos(s, bus, Data, Size); | ||
54 | +} | ||
55 | + | ||
56 | static void i440fx_fuzz_qos_fork(QTestState *s, | ||
57 | const unsigned char *Data, size_t Size) { | ||
58 | if (fork() == 0) { | ||
59 | -- | ||
60 | 2.25.3 | ||
61 | diff view generated by jsdifflib |
Deleted patch | |||
---|---|---|---|
1 | From: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2 | 1 | ||
3 | Extract generic ioport_fuzz_qtest() method from | ||
4 | i440fx_fuzz_qtest(). This will help to write tests | ||
5 | not specific to the i440FX controller. | ||
6 | |||
7 | Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
8 | Message-id: 20200514143433.18569-7-philmd@redhat.com | ||
9 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
10 | --- | ||
11 | tests/qtest/fuzz/i440fx_fuzz.c | 11 +++++++++-- | ||
12 | 1 file changed, 9 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c | ||
15 | index XXXXXXX..XXXXXXX 100644 | ||
16 | --- a/tests/qtest/fuzz/i440fx_fuzz.c | ||
17 | +++ b/tests/qtest/fuzz/i440fx_fuzz.c | ||
18 | @@ -XXX,XX +XXX,XX @@ enum action_id { | ||
19 | ACTION_MAX | ||
20 | }; | ||
21 | |||
22 | -static void i440fx_fuzz_qtest(QTestState *s, | ||
23 | +static void ioport_fuzz_qtest(QTestState *s, | ||
24 | const unsigned char *Data, size_t Size) { | ||
25 | /* | ||
26 | * loop over the Data, breaking it up into actions. each action has an | ||
27 | @@ -XXX,XX +XXX,XX @@ static void i440fx_fuzz_qtest(QTestState *s, | ||
28 | flush_events(s); | ||
29 | } | ||
30 | |||
31 | +static void i440fx_fuzz_qtest(QTestState *s, | ||
32 | + const unsigned char *Data, | ||
33 | + size_t Size) | ||
34 | +{ | ||
35 | + ioport_fuzz_qtest(s, Data, Size); | ||
36 | +} | ||
37 | + | ||
38 | static void pciconfig_fuzz_qos(QTestState *s, QPCIBus *bus, | ||
39 | const unsigned char *Data, size_t Size) { | ||
40 | /* | ||
41 | - * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the | ||
42 | + * Same as ioport_fuzz_qtest, but using QOS. devfn is incorporated into the | ||
43 | * value written over Port IO | ||
44 | */ | ||
45 | struct { | ||
46 | -- | ||
47 | 2.25.3 | ||
48 | diff view generated by jsdifflib |
Deleted patch | |||
---|---|---|---|
1 | The io_uring file descriptor monitoring implementation has an internal | ||
2 | list of fd handlers that are pending submission to io_uring. | ||
3 | fdmon_io_uring_destroy() deletes all fd handlers on the list. | ||
4 | 1 | ||
5 | Don't delete fd handlers directly in fdmon_io_uring_destroy() for two | ||
6 | reasons: | ||
7 | 1. This duplicates the aio-posix.c AioHandler deletion code and could | ||
8 | become outdated if the struct changes. | ||
9 | 2. Only handlers with the FDMON_IO_URING_REMOVE flag set are safe to | ||
10 | remove. If the flag is not set then something still has a pointer to | ||
11 | the fd handler. Let aio-posix.c and its user worry about that. In | ||
12 | practice this isn't an issue because fdmon_io_uring_destroy() is only | ||
13 | called when shutting down so all users have removed their fd | ||
14 | handlers, but the next patch will need this! | ||
15 | |||
16 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
17 | Tested-by: Oleksandr Natalenko <oleksandr@redhat.com> | ||
18 | Message-id: 20200511183630.279750-2-stefanha@redhat.com | ||
19 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
20 | --- | ||
21 | util/aio-posix.c | 1 + | ||
22 | util/fdmon-io_uring.c | 13 ++++++++++--- | ||
23 | 2 files changed, 11 insertions(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/util/aio-posix.c b/util/aio-posix.c | ||
26 | index XXXXXXX..XXXXXXX 100644 | ||
27 | --- a/util/aio-posix.c | ||
28 | +++ b/util/aio-posix.c | ||
29 | @@ -XXX,XX +XXX,XX @@ void aio_context_destroy(AioContext *ctx) | ||
30 | { | ||
31 | fdmon_io_uring_destroy(ctx); | ||
32 | fdmon_epoll_disable(ctx); | ||
33 | + aio_free_deleted_handlers(ctx); | ||
34 | } | ||
35 | |||
36 | void aio_context_set_poll_params(AioContext *ctx, int64_t max_ns, | ||
37 | diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c | ||
38 | index XXXXXXX..XXXXXXX 100644 | ||
39 | --- a/util/fdmon-io_uring.c | ||
40 | +++ b/util/fdmon-io_uring.c | ||
41 | @@ -XXX,XX +XXX,XX @@ void fdmon_io_uring_destroy(AioContext *ctx) | ||
42 | |||
43 | io_uring_queue_exit(&ctx->fdmon_io_uring); | ||
44 | |||
45 | - /* No need to submit these anymore, just free them. */ | ||
46 | + /* Move handlers due to be removed onto the deleted list */ | ||
47 | while ((node = QSLIST_FIRST_RCU(&ctx->submit_list))) { | ||
48 | + unsigned flags = atomic_fetch_and(&node->flags, | ||
49 | + ~(FDMON_IO_URING_PENDING | | ||
50 | + FDMON_IO_URING_ADD | | ||
51 | + FDMON_IO_URING_REMOVE)); | ||
52 | + | ||
53 | + if (flags & FDMON_IO_URING_REMOVE) { | ||
54 | + QLIST_INSERT_HEAD_RCU(&ctx->deleted_aio_handlers, node, node_deleted); | ||
55 | + } | ||
56 | + | ||
57 | QSLIST_REMOVE_HEAD_RCU(&ctx->submit_list, node_submitted); | ||
58 | - QLIST_REMOVE(node, node); | ||
59 | - g_free(node); | ||
60 | } | ||
61 | |||
62 | ctx->fdmon_ops = &fdmon_poll_ops; | ||
63 | -- | ||
64 | 2.25.3 | ||
65 | diff view generated by jsdifflib |
1 | The glib event loop does not call fdmon_io_uring_wait() so fd handlers | 1 | From: Denis Rastyogin <gerben@altlinux.org> |
---|---|---|---|
2 | waiting to be submitted build up in the list. There is no benefit is | ||
3 | using io_uring when the glib GSource is being used, so disable it | ||
4 | instead of implementing a more complex fix. | ||
5 | 2 | ||
6 | This fixes a memory leak where AioHandlers would build up and increasing | 3 | This error was discovered by fuzzing qemu-img. |
7 | amounts of CPU time were spent iterating them in aio_pending(). The | ||
8 | symptom is that guests become slow when QEMU is built with io_uring | ||
9 | support. | ||
10 | 4 | ||
11 | Buglink: https://bugs.launchpad.net/qemu/+bug/1877716 | 5 | In the QED block driver, the need_check_timer timer is freed in |
12 | Fixes: 73fd282e7b6dd4e4ea1c3bbb3d302c8db51e4ccf ("aio-posix: add io_uring fd monitoring implementation") | 6 | bdrv_qed_detach_aio_context, but the pointer to the timer is not |
13 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 7 | set to NULL. This can lead to a use-after-free scenario |
14 | Tested-by: Oleksandr Natalenko <oleksandr@redhat.com> | 8 | in bdrv_qed_drain_begin(). |
15 | Message-id: 20200511183630.279750-3-stefanha@redhat.com | 9 | |
10 | The need_check_timer pointer is set to NULL after freeing the timer. | ||
11 | Which helps catch this condition when checking in bdrv_qed_drain_begin(). | ||
12 | |||
13 | Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852 | ||
14 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> | ||
15 | Message-ID: <20250304083927.37681-1-gerben@altlinux.org> | ||
16 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 16 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
17 | --- | 17 | --- |
18 | include/block/aio.h | 3 +++ | 18 | block/qed.c | 1 + |
19 | util/aio-posix.c | 12 ++++++++++++ | 19 | 1 file changed, 1 insertion(+) |
20 | util/aio-win32.c | 4 ++++ | ||
21 | util/async.c | 1 + | ||
22 | 4 files changed, 20 insertions(+) | ||
23 | 20 | ||
24 | diff --git a/include/block/aio.h b/include/block/aio.h | 21 | diff --git a/block/qed.c b/block/qed.c |
25 | index XXXXXXX..XXXXXXX 100644 | 22 | index XXXXXXX..XXXXXXX 100644 |
26 | --- a/include/block/aio.h | 23 | --- a/block/qed.c |
27 | +++ b/include/block/aio.h | 24 | +++ b/block/qed.c |
28 | @@ -XXX,XX +XXX,XX @@ void aio_context_setup(AioContext *ctx); | 25 | @@ -XXX,XX +XXX,XX @@ static void bdrv_qed_detach_aio_context(BlockDriverState *bs) |
29 | */ | 26 | |
30 | void aio_context_destroy(AioContext *ctx); | 27 | qed_cancel_need_check_timer(s); |
31 | 28 | timer_free(s->need_check_timer); | |
32 | +/* Used internally, do not call outside AioContext code */ | 29 | + s->need_check_timer = NULL; |
33 | +void aio_context_use_g_source(AioContext *ctx); | ||
34 | + | ||
35 | /** | ||
36 | * aio_context_set_poll_params: | ||
37 | * @ctx: the aio context | ||
38 | diff --git a/util/aio-posix.c b/util/aio-posix.c | ||
39 | index XXXXXXX..XXXXXXX 100644 | ||
40 | --- a/util/aio-posix.c | ||
41 | +++ b/util/aio-posix.c | ||
42 | @@ -XXX,XX +XXX,XX @@ void aio_context_destroy(AioContext *ctx) | ||
43 | aio_free_deleted_handlers(ctx); | ||
44 | } | 30 | } |
45 | 31 | ||
46 | +void aio_context_use_g_source(AioContext *ctx) | 32 | static void bdrv_qed_attach_aio_context(BlockDriverState *bs, |
47 | +{ | ||
48 | + /* | ||
49 | + * Disable io_uring when the glib main loop is used because it doesn't | ||
50 | + * support mixed glib/aio_poll() usage. It relies on aio_poll() being | ||
51 | + * called regularly so that changes to the monitored file descriptors are | ||
52 | + * submitted, otherwise a list of pending fd handlers builds up. | ||
53 | + */ | ||
54 | + fdmon_io_uring_destroy(ctx); | ||
55 | + aio_free_deleted_handlers(ctx); | ||
56 | +} | ||
57 | + | ||
58 | void aio_context_set_poll_params(AioContext *ctx, int64_t max_ns, | ||
59 | int64_t grow, int64_t shrink, Error **errp) | ||
60 | { | ||
61 | diff --git a/util/aio-win32.c b/util/aio-win32.c | ||
62 | index XXXXXXX..XXXXXXX 100644 | ||
63 | --- a/util/aio-win32.c | ||
64 | +++ b/util/aio-win32.c | ||
65 | @@ -XXX,XX +XXX,XX @@ void aio_context_destroy(AioContext *ctx) | ||
66 | { | ||
67 | } | ||
68 | |||
69 | +void aio_context_use_g_source(AioContext *ctx) | ||
70 | +{ | ||
71 | +} | ||
72 | + | ||
73 | void aio_context_set_poll_params(AioContext *ctx, int64_t max_ns, | ||
74 | int64_t grow, int64_t shrink, Error **errp) | ||
75 | { | ||
76 | diff --git a/util/async.c b/util/async.c | ||
77 | index XXXXXXX..XXXXXXX 100644 | ||
78 | --- a/util/async.c | ||
79 | +++ b/util/async.c | ||
80 | @@ -XXX,XX +XXX,XX @@ static GSourceFuncs aio_source_funcs = { | ||
81 | |||
82 | GSource *aio_get_g_source(AioContext *ctx) | ||
83 | { | ||
84 | + aio_context_use_g_source(ctx); | ||
85 | g_source_ref(&ctx->source); | ||
86 | return &ctx->source; | ||
87 | } | ||
88 | -- | 33 | -- |
89 | 2.25.3 | 34 | 2.48.1 |
90 | diff view generated by jsdifflib |