From nobody Tue Feb 10 10:20:08 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=yandex-team.ru ARC-Seal: i=1; a=rsa-sha256; t=1611865268; cv=none; d=zohomail.com; s=zohoarc; b=M0myHCsBovAX1fhFJE6eMYt0bHRu3ZvaCipAvnX3n4Up2yXtNiq3N562n/QykQ5ydN/d8KwQt11wY+L2e2+0D3axGOKw7+VBW8lZUS5/YLK4Vw5aO8QrjvP/Ag7Tm574lvO8SMwHfjZTIjoVaVUju9afS23YbVFl3u8NUnm2EH0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1611865268; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9aKmtPPJWdynmvROmuUuyxx7m8OedJwSFiN5+GXjT3k=; b=Dt7b7sj2Fik4lVqY/sTDQfqKCDh0nEZLO4SMLWYXJrfat6Bnd5Ew9iPLg2zC+uuA3Tukj6ijEpewoLysrDdTTD4x3XGnxf+1l0yFtyqWFPmliVdAR1B/NU6nBbS3cjPTthmL0fhHqdFP8fpJWgrWgXCypfctNsmwxKMaf5L3SOM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1611865268955484.29574910633517; Thu, 28 Jan 2021 12:21:08 -0800 (PST) Received: from localhost ([::1]:41778 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l5Dmt-0001ot-MT for importer@patchew.org; Thu, 28 Jan 2021 15:21:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:58290) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5Dgc-0004Ur-S5; Thu, 28 Jan 2021 15:14:39 -0500 Received: from forwardcorp1o.mail.yandex.net ([95.108.205.193]:40016) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5DgV-0002k1-6v; Thu, 28 Jan 2021 15:14:38 -0500 Received: from vla1-fdfb804fb3f3.qloud-c.yandex.net (vla1-fdfb804fb3f3.qloud-c.yandex.net [IPv6:2a02:6b8:c0d:3199:0:640:fdfb:804f]) by forwardcorp1o.mail.yandex.net (Yandex) with ESMTP id E4D732E1E8A; Thu, 28 Jan 2021 23:14:24 +0300 (MSK) Received: from vla1-81430ab5870b.qloud-c.yandex.net (vla1-81430ab5870b.qloud-c.yandex.net [2a02:6b8:c0d:35a1:0:640:8143:ab5]) by vla1-fdfb804fb3f3.qloud-c.yandex.net (mxbackcorp/Yandex) with ESMTP id JvOtNJJxGH-EOw4KhQq; Thu, 28 Jan 2021 23:14:24 +0300 Received: from dynamic-vpn.dhcp.yndx.net (dynamic-vpn.dhcp.yndx.net [2a02:6b8:b081:420::1:f]) by vla1-81430ab5870b.qloud-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id fjMENJuJUJ-ENmWuBqU; Thu, 28 Jan 2021 23:14:24 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1611864864; bh=9aKmtPPJWdynmvROmuUuyxx7m8OedJwSFiN5+GXjT3k=; h=In-Reply-To:Message-Id:References:Date:Subject:To:From:Cc; b=P+DMxrsm6mmjW6CBD+tv8E1drH6qF8p7OiatjR5GkzHvC3JvlHFDiT2X19AcFm1eQ 1kwUG1aon35HPLt3UKSK73D8+2fnoSvZy593vob7yjJJUwyxoOZJLxMtk1YsJR3LgB PSASZDxMX6DdrgMDlIxrzfeNFzLD4dw4Ab+v0NoI= Authentication-Results: vla1-fdfb804fb3f3.qloud-c.yandex.net; dkim=pass header.i=@yandex-team.ru From: Roman Kagan To: qemu-devel@nongnu.org Subject: [PATCH 1/3] block/nbd: only detach existing iochannel from aio_context Date: Thu, 28 Jan 2021 23:14:16 +0300 Message-Id: <20210128201418.607640-2-rvkagan@yandex-team.ru> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210128201418.607640-1-rvkagan@yandex-team.ru> References: <20210128201418.607640-1-rvkagan@yandex-team.ru> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=95.108.205.193; envelope-from=rvkagan@yandex-team.ru; helo=forwardcorp1o.mail.yandex.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , qemu-block@nongnu.org, Max Reitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" When the reconnect in NBD client is in progress, the iochannel used for NBD connection doesn't exist. Therefore an attempt to detach it from the aio_context of the parent BlockDriverState results in a NULL pointer dereference. The problem is triggerable, in particular, when an outgoing migration is about to finish, and stopping the dataplane tries to move the BlockDriverState from the iothread aio_context to the main loop. If the NBD connection is lost before this point, and the NBD client has entered the reconnect procedure, QEMU crashes: at /build/qemu-gYtjVn/qemu-5.0.1/io/channel.c:452 at /build/qemu-gYtjVn/qemu-5.0.1/block.c:6151 new_context=3Dnew_context@entry=3D0x562a260c9580, ignore=3Dignore@entry=3D0x7feeadc9b780) at /build/qemu-gYtjVn/qemu-5.0.1/block.c:6230 (bs=3Dbs@entry=3D0x562a268d6a00, ctx=3D0x562a260c9580, ignore_child=3D, errp=3D) at /build/qemu-gYtjVn/qemu-5.0.1/block.c:6332 new_context=3D0x562a260c9580, update_root_node=3Dupdate_root_node@entry=3Dtrue, errp=3Derrp@entry=3D0= x0) at /build/qemu-gYtjVn/qemu-5.0.1/block/block-backend.c:1989 new_context=3D, errp=3Derrp@entry=3D0x0) at /build/qemu-gYtjVn/qemu-5.0.1/block/block-backend.c:2010 out>) at /build/qemu-gYtjVn/qemu-5.0.1/hw/block/dataplane/virtio-blk.c:292 at /build/qemu-gYtjVn/qemu-5.0.1/hw/virtio/virtio-bus.c:245 running=3D0, state=3D) at /build/qemu-gYtjVn/qemu-5.0.1/hw/virtio/virtio.c:3220 state=3Dstate@entry=3DRUN_STATE_FINISH_MIGRATE) at /build/qemu-gYtjVn/qemu-5.0.1/softmmu/vl.c:1275 send_stop=3D) at /build/qemu-gYtjVn/qemu-5.0.1/cpus.c:1032 at /build/qemu-gYtjVn/qemu-5.0.1/migration/migration.c:2914 at /build/qemu-gYtjVn/qemu-5.0.1/migration/migration.c:3275 at /build/qemu-gYtjVn/qemu-5.0.1/migration/migration.c:3439 at /build/qemu-gYtjVn/qemu-5.0.1/util/qemu-thread-posix.c:519 at pthread_create.c:333 oldval=3D0x562a2452b138, oldlenp=3D0x0, newval=3D0x562a2452c5e0 <__func__.28102>, newlen=3D0) at ../sysdeps/unix/sysv/linux/sysctl.c:30 Fix it by checking that the iochannel is non-null before trying to detach it from the aio_context. If it is null, no detaching is needed, and it will get reattached in the proper aio_context once the connection is reestablished. Signed-off-by: Roman Kagan Reviewed-by: Vladimir Sementsov-Ogievskiy --- block/nbd.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/block/nbd.c b/block/nbd.c index 42e10c7c93..bcd6641e90 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -235,7 +235,14 @@ static void nbd_client_detach_aio_context(BlockDriverS= tate *bs) =20 /* Timer is deleted in nbd_client_co_drain_begin() */ assert(!s->reconnect_delay_timer); - qio_channel_detach_aio_context(QIO_CHANNEL(s->ioc)); + /* + * If reconnect is in progress we may have no ->ioc. It will be + * re-instantiated in the proper aio context once the connection is + * reestablished. + */ + if (s->ioc) { + qio_channel_detach_aio_context(QIO_CHANNEL(s->ioc)); + } } =20 static void nbd_client_attach_aio_context_bh(void *opaque) --=20 2.29.2