From nobody Tue Apr 23 13:49:11 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1669105238734523.4489032929318;
 Tue, 22 Nov 2022 00:20:38 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1oxOPt-0002Q5-Ah; Tue, 22 Nov 2022 03:14:05 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPq-0002PR-BT; Tue, 22 Nov 2022 03:14:02 -0500
Received: from wout3-smtp.messagingengine.com ([64.147.123.19])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPl-00031p-Ud; Tue, 22 Nov 2022 03:13:59 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.west.internal (Postfix) with ESMTP id DB5FC32001C6;
 Tue, 22 Nov 2022 03:13:55 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Tue, 22 Nov 2022 03:13:56 -0500
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 22 Nov 2022 03:13:53 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk;
 h=cc:cc:content-transfer-encoding:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=fm3; t=1669104835; x=
 1669191235; bh=3+KyPd3/F33HrzHatyV1ldrp07a8kLbMWZ3urEk3Q18=; b=M
 1jnVVGWKf/fb2GXvtM4XtRmoeCgT8lVXzYGKZee+85k9psWmbaoPS67VkQbmedys
 SHCvVPfkqMmLuTbzJMaRYSY3oGNbAoT/4mG+MiOZMVIoIsCDeDHqPcANDp/v7+bu
 tRZ8BF19g8pwbMT03TJk7lNGKcsgAev6ksTfUXzCBrYTEw5/ksY80G6txv9znq4T
 6cKOsun9DNV6wRBA0wNkTgG0Nq7YLgXukUJVR4sAAZyO4XjoWIkQOsHSL0mtN3ZQ
 7RlexX5T3BPbsZznECCoe9ppl+RiQEbl7bEIfgubg/OfGUyFTP3cHIfJacCkpGK2
 +rv1nYgGlb1OREVmhASPw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1669104835; x=1669191235; bh=3+KyPd3/F33Hr
 zHatyV1ldrp07a8kLbMWZ3urEk3Q18=; b=B80/iBJUMaGXV+hOmtWK+hmVIkWmf
 RUC9PnF22decdwPQk5tblMUZH7gAK3UQke70CGtiXJVi9S8cdYxMGIJbdPYv8bNX
 qZpW4H3E92rb+XlUPMo7hsXkeQOoBlf2Al5Fl7YFf6nBcegJHKq1NbeayhIfwPz4
 2nUri7Ba9YV97e/xIX9zHpOaSMsQGeN+Dh2HcHDbVq9rdyeKRJbg83qQkB3OEcNy
 nz/Q8eVbRbAV8pP/55OA85uof2Kr+Qbb7Y3V3GABFRh2oYXUiJ7JKiwReq3N5h1Q
 sUU7X+/YnnJf+Gx7xqJ8v+FWgU2wY5MMBffw6wGSXE1dsxOcieb9BFQ8Q==
X-ME-Sender: <xms:woR8Y-iFqZlNOLJhE2uiVMYxtzz8WHrcsgoj9r5ulqBnDZia7ytJjg>
 <xme:woR8Y_CPUqVDBwDwVj-oL-PEeIXUna2ELCUzMH5-GZE9qyFLYmOYQ4Vuc8k3KhipP
 Xjlm_PMsRQVYBsvkW8>
X-ME-Received: 
 <xmr:woR8Y2FBGVo1vTAxycK2o_qUHuSQrG86SYACCJON3AghN6yUU8Fe0WrVvVz2cEnktTuL6kuZB7LLcRAU5hwaq3JlAPKaz3AnwVnF8w>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvgedrheejgdduudelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhlrghu
 shculfgvnhhsvghnuceoihhtshesihhrrhgvlhgvvhgrnhhtrdgukheqnecuggftrfgrth
 htvghrnhepjefgieelgfeiveehkeeuveehheekfeevgeeigfehfefgjeejhefffeegudej
 udegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepih
 htshesihhrrhgvlhgvvhgrnhhtrdgukh
X-ME-Proxy: <xmx:woR8Y3RozbX-1T9N5nsWz6KHRAztXm5LKI09lbSDUZebIyRiw_Xwqg>
 <xmx:woR8Y7x1gROV9u3VhaGb-l4ypDs9G5vmPH4RbDTwXMCr3QjfWQs9Yw>
 <xmx:woR8Y16lHLBVsox-JF1f8kfB6YkOD7BhP5H3C482ig7lydptEGpOqQ>
 <xmx:w4R8Y9vCLiFmXDOV9syal76-Lj4Ea0vZfrtDFgViYJAiNiP7G0x6hg>
Feedback-ID: idc91472f:Fastmail
From: Klaus Jensen <its@irrelevant.dk>
To: qemu-devel@nongnu.org
Cc: Keith Busch <kbusch@kernel.org>, Klaus Jensen <its@irrelevant.dk>,
 qemu-block@nongnu.org, Klaus Jensen <k.jensen@samsung.com>,
 Jonathan Derrick <jonathan.derrick@linux.dev>
Subject: [PATCH for-7.2 1/5] hw/nvme: fix aio cancel in format
Date: Tue, 22 Nov 2022 09:13:44 +0100
Message-Id: <20221122081348.49963-2-its@irrelevant.dk>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221122081348.49963-1-its@irrelevant.dk>
References: <20221122081348.49963-1-its@irrelevant.dk>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3615; i=k.jensen@samsung.com;
 h=from:subject; bh=lnx6TbWpGhaiSLBof2jEUOUF2JEh+epoiDka2ev9uhc=;
 b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGN8hLuAf/gQk+PFysS7hkpMgjI38Z8kdjQ1eMbZ
 tiwf4K6l7IkBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjfIS7AAoJEE3hrzFtTw3peK
 AH/i5tx055k7C8ofZTUKUeD9fFbPKPtmKSTIq+72CJult8c2sBbhygkVdX2bO5pxjv5djaK2XuGXft
 5Tr3UFPj5D97022D39mPO1zGGT8k23+fa+J89688KWRq1IiKjXbiB1ZcB47csrIkwCVRgLsu/DiZL5
 C1b1l3GsYehOpyhmEIjc3b4MWHtHP7MeiihYtISAlKs+oXWdY3rtHNjmo7J/WrqAfZIQ7MAcYK7hjx
 HA5Cnw3pC1iOWSF7wkghPVPW9RIRciA4WlNpVXMlwxxGNxKF8Qz40s6/o3WdeVaAH/6xJZ7rFm1QlG
 wI+bHOllTMsdmX59hGUO2B24b2FeM/RNt9Oq6u
X-Developer-Key: i=k.jensen@samsung.com; a=openpgp;
 fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=64.147.123.19; envelope-from=its@irrelevant.dk;
 helo=wout3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1669105239344100003
Content-Type: text/plain; charset="utf-8"

From: Klaus Jensen <k.jensen@samsung.com>

There are several bugs in the async cancel code for the Format command.

Firstly, cancelling a format operation neglects to set iocb->ret as well
as clearing the iocb->aiocb after cancelling the underlying aiocb which
causes the aio callback to ignore the cancellation. Trivial fix.

Secondly, and worse, because the request is queued up for posting to the
CQ in a bottom half, if the cancellation is due to the submission queue
being deleted (which calls blk_aio_cancel), the req structure is
deallocated in nvme_del_sq prior to the bottom half being schedulued.

Fix this by simply removing the bottom half, there is no reason to defer
it anyway.

Fixes: 3bcf26d3d619 ("hw/nvme: reimplement format nvm to allow cancellation=
")
Reported-by: Jonathan Derrick <jonathan.derrick@linux.dev>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
---
 hw/nvme/ctrl.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index ac3885ce5079..26b53469328f 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -5756,14 +5756,15 @@ typedef struct NvmeFormatAIOCB {
     uint8_t pil;
 } NvmeFormatAIOCB;
=20
-static void nvme_format_bh(void *opaque);
-
 static void nvme_format_cancel(BlockAIOCB *aiocb)
 {
     NvmeFormatAIOCB *iocb =3D container_of(aiocb, NvmeFormatAIOCB, common);
=20
+    iocb->ret =3D -ECANCELED;
+
     if (iocb->aiocb) {
         blk_aio_cancel_async(iocb->aiocb);
+        iocb->aiocb =3D NULL;
     }
 }
=20
@@ -5787,13 +5788,17 @@ static void nvme_format_set(NvmeNamespace *ns, uint=
8_t lbaf, uint8_t mset,
     nvme_ns_init_format(ns);
 }
=20
+static void nvme_do_format(NvmeFormatAIOCB *iocb);
+
 static void nvme_format_ns_cb(void *opaque, int ret)
 {
     NvmeFormatAIOCB *iocb =3D opaque;
     NvmeNamespace *ns =3D iocb->ns;
     int bytes;
=20
-    if (ret < 0) {
+    if (iocb->ret < 0) {
+        goto done;
+    } else if (ret < 0) {
         iocb->ret =3D ret;
         goto done;
     }
@@ -5817,8 +5822,7 @@ static void nvme_format_ns_cb(void *opaque, int ret)
     iocb->offset =3D 0;
=20
 done:
-    iocb->aiocb =3D NULL;
-    qemu_bh_schedule(iocb->bh);
+    nvme_do_format(iocb);
 }
=20
 static uint16_t nvme_format_check(NvmeNamespace *ns, uint8_t lbaf, uint8_t=
 pi)
@@ -5842,9 +5846,8 @@ static uint16_t nvme_format_check(NvmeNamespace *ns, =
uint8_t lbaf, uint8_t pi)
     return NVME_SUCCESS;
 }
=20
-static void nvme_format_bh(void *opaque)
+static void nvme_do_format(NvmeFormatAIOCB *iocb)
 {
-    NvmeFormatAIOCB *iocb =3D opaque;
     NvmeRequest *req =3D iocb->req;
     NvmeCtrl *n =3D nvme_ctrl(req);
     uint32_t dw10 =3D le32_to_cpu(req->cmd.cdw10);
@@ -5882,11 +5885,7 @@ static void nvme_format_bh(void *opaque)
     return;
=20
 done:
-    qemu_bh_delete(iocb->bh);
-    iocb->bh =3D NULL;
-
     iocb->common.cb(iocb->common.opaque, iocb->ret);
-
     qemu_aio_unref(iocb);
 }
=20
@@ -5905,7 +5904,6 @@ static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest =
*req)
     iocb =3D qemu_aio_get(&nvme_format_aiocb_info, NULL, nvme_misc_cb, req=
);
=20
     iocb->req =3D req;
-    iocb->bh =3D qemu_bh_new(nvme_format_bh, iocb);
     iocb->ret =3D 0;
     iocb->ns =3D NULL;
     iocb->nsid =3D 0;
@@ -5934,14 +5932,13 @@ static uint16_t nvme_format(NvmeCtrl *n, NvmeReques=
t *req)
     }
=20
     req->aiocb =3D &iocb->common;
-    qemu_bh_schedule(iocb->bh);
+    nvme_do_format(iocb);
=20
     return NVME_NO_COMPLETE;
=20
 out:
-    qemu_bh_delete(iocb->bh);
-    iocb->bh =3D NULL;
     qemu_aio_unref(iocb);
+
     return status;
 }
=20
--=20
2.38.1
From nobody Tue Apr 23 13:49:11 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1669104996016595.7400453286598;
 Tue, 22 Nov 2022 00:16:36 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1oxOQ2-0002Um-T8; Tue, 22 Nov 2022 03:14:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPw-0002Ro-Kx; Tue, 22 Nov 2022 03:14:08 -0500
Received: from wout3-smtp.messagingengine.com ([64.147.123.19])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPq-00032D-7O; Tue, 22 Nov 2022 03:14:08 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.west.internal (Postfix) with ESMTP id 6385E320024A;
 Tue, 22 Nov 2022 03:13:58 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Tue, 22 Nov 2022 03:13:58 -0500
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 22 Nov 2022 03:13:56 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk;
 h=cc:cc:content-transfer-encoding:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=fm3; t=1669104837; x=
 1669191237; bh=DlHke+ZGmp4Kp0kN5AHVCi+UWrUQwSr8Y4wjV05omHQ=; b=P
 740Y1+co/BnaHNOXuurLcSe8n+eYlrmCwKaB+Um18SnuSH9WKQ0xl1i7QTUN6n7Q
 35XLwcAmMmx0Tm4GEr7JeHPN+Vorx9L5mWaMX6l0shyeGtDeKB/cfaz1v8DS+5gx
 HsdQ1UtrO5NIQTEXYsahL2tsTU/K47Mlj79o3hh6QOtThxs9xywnJcmJvD2scgLW
 Ojc+/TlsECDAt+wWW9KdqO8J7ZDomRZ8ZUv1YGkMaLXShVv1h+RAjZkZqyapp9io
 80BrqOlr0miAw4KGGVffE+N1HdW740kCCD3phSoGhdgeWyVIe8pi952Hzi/C5+pV
 knRPEwQ1LtdzY23nD+RxA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1669104837; x=1669191237; bh=DlHke+ZGmp4Kp
 0kN5AHVCi+UWrUQwSr8Y4wjV05omHQ=; b=izvod/zasqJn/wee9mnJ4202GCg9q
 STW9prEY1KXX/czfsFm3oO+EsGCaexyoZhHJcUvUGZ53l7LY6UEL1mXSSkXc5gZO
 PSWxQl/8sGyRqhF5bH3vTNB19zsqxq5EZXaqFtoYcKe80MMt8fOmyyxgbJ/gBbXF
 Pm3O+Q+513y8E+5FgcKSX6nsGry7lfNbhlt32x82B/SJPZaRt0dWj3os/npwzQ5H
 JsltYF7cdeMmPCUz/MZU7XcIvrEkRg961hhNksezyBoadcI2z1I+PNXU4QBrVW4J
 oSX43IUzicXddU+EG14TmOfCGnuCipojeoI36Bg++tp/tZvQ/NEoKuNmA==
X-ME-Sender: <xms:xYR8Y-VUL4AbxNp5Rm0dYI5GRmxLEluAVYyBwAI4wbj8zoDU9bLLfg>
 <xme:xYR8Y6n_fjvVPJTLMzokvxD1-2te8ziFUSheuaL_98nta-ZTizUGI_NzZYEySGN6B
 7JR_yCrOhHFdAvrZmc>
X-ME-Received: 
 <xmr:xYR8YyYJ8aMJQ2_1Z8kFG76040WgiKScnOeAe6Gc8jIndO3CTPPeS3wTz0Ra2ZxuyFhMKyg6E7mN_UL4ckpqM2mhUo39qO9y2fBG1A>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvgedrheejgdduudelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhlrghu
 shculfgvnhhsvghnuceoihhtshesihhrrhgvlhgvvhgrnhhtrdgukheqnecuggftrfgrth
 htvghrnhepjefgieelgfeiveehkeeuveehheekfeevgeeigfehfefgjeejhefffeegudej
 udegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepih
 htshesihhrrhgvlhgvvhgrnhhtrdgukh
X-ME-Proxy: <xmx:xYR8Y1V1xAP-YrC7CuVHCPwEgJJgVbxLSrYliKiW666db_w3Hh72pw>
 <xmx:xYR8Y4kXsDgcCBIsUxfk2ig2sIGTIv-kJtlLjLquuXoceoVmaZG4jQ>
 <xmx:xYR8Y6e3UVlSz8lyATAlIEyWKIsOOmlUKsyzvVRUkGoGvNy3QIfWnw>
 <xmx:xYR8YyjLZG6t4QBYiCt9XMcNCAr5FIjWnzhazuGItPk_Hy-6EOw3BQ>
Feedback-ID: idc91472f:Fastmail
From: Klaus Jensen <its@irrelevant.dk>
To: qemu-devel@nongnu.org
Cc: Keith Busch <kbusch@kernel.org>, Klaus Jensen <its@irrelevant.dk>,
 qemu-block@nongnu.org, Klaus Jensen <k.jensen@samsung.com>
Subject: [PATCH for-7.2 2/5] hw/nvme: fix aio cancel in flush
Date: Tue, 22 Nov 2022 09:13:45 +0100
Message-Id: <20221122081348.49963-3-its@irrelevant.dk>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221122081348.49963-1-its@irrelevant.dk>
References: <20221122081348.49963-1-its@irrelevant.dk>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2550; i=k.jensen@samsung.com;
 h=from:subject; bh=z21NZQE0tPSmiRSuuRtkPPRRr3BOvzupV5f9QANkoS4=;
 b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGN8hLvNlduUWPQEm7WVuKb5rIL2pNL5WRuLp5Ff
 Dt+qBGbnIYkBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjfIS7AAoJEE3hrzFtTw3p15
 gH/RTvZ/ex1DzYef2+9OfFWL0lB826lKQZzzi8pAA1wfhxFSTH6pL6Sto+Pz/Sn7PuMeWLon2ldEG1
 guem1kXQifS77PeSrkRCp9xfLjRiw+nljDbI/eC14jz/M3ViODHqM/H+4idWGs32+BIKn5PZ7gBw5M
 8twpQIC8Cb4vdbxzqGdcM+XVGlrZVsSFsm5kAcLyFT18THBTfGsWy+7ozlEe4aa8IOX5sfp1iLIwxE
 a0bIp2U0HQkY9ulDvM1U3K/q4sAyLPjaEa8br/kNwpPStgac5BrqzAO4hEY+ss/mwNbQHPrx10GF61
 Ta9RETIfJW1lZb+KoXLcEEYJ4SBnWbB7rY+7gm
X-Developer-Key: i=k.jensen@samsung.com; a=openpgp;
 fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=64.147.123.19; envelope-from=its@irrelevant.dk;
 helo=wout3-smtp.messagingengine.com
X-Spam_score_int: -25
X-Spam_score: -2.6
X-Spam_bar: --
X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1669104997917100003
Content-Type: text/plain; charset="utf-8"

From: Klaus Jensen <k.jensen@samsung.com>

Make sure that iocb->aiocb is NULL'ed when cancelling.

Fix a potential use-after-free by removing the bottom half and enqueuing
the completion directly.

Fixes: 38f4ac65ac88 ("hw/nvme: reimplement flush to allow cancellation")
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/nvme/ctrl.c | 21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 26b53469328f..fc129b8d1a93 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -3160,7 +3160,6 @@ typedef struct NvmeFlushAIOCB {
     BlockAIOCB common;
     BlockAIOCB *aiocb;
     NvmeRequest *req;
-    QEMUBH *bh;
     int ret;
=20
     NvmeNamespace *ns;
@@ -3176,6 +3175,7 @@ static void nvme_flush_cancel(BlockAIOCB *acb)
=20
     if (iocb->aiocb) {
         blk_aio_cancel_async(iocb->aiocb);
+        iocb->aiocb =3D NULL;
     }
 }
=20
@@ -3185,6 +3185,8 @@ static const AIOCBInfo nvme_flush_aiocb_info =3D {
     .get_aio_context =3D nvme_get_aio_context,
 };
=20
+static void nvme_do_flush(NvmeFlushAIOCB *iocb);
+
 static void nvme_flush_ns_cb(void *opaque, int ret)
 {
     NvmeFlushAIOCB *iocb =3D opaque;
@@ -3206,13 +3208,11 @@ static void nvme_flush_ns_cb(void *opaque, int ret)
     }
=20
 out:
-    iocb->aiocb =3D NULL;
-    qemu_bh_schedule(iocb->bh);
+    nvme_do_flush(iocb);
 }
=20
-static void nvme_flush_bh(void *opaque)
+static void nvme_do_flush(NvmeFlushAIOCB *iocb)
 {
-    NvmeFlushAIOCB *iocb =3D opaque;
     NvmeRequest *req =3D iocb->req;
     NvmeCtrl *n =3D nvme_ctrl(req);
     int i;
@@ -3239,14 +3239,8 @@ static void nvme_flush_bh(void *opaque)
     return;
=20
 done:
-    qemu_bh_delete(iocb->bh);
-    iocb->bh =3D NULL;
-
     iocb->common.cb(iocb->common.opaque, iocb->ret);
-
     qemu_aio_unref(iocb);
-
-    return;
 }
=20
 static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *req)
@@ -3258,7 +3252,6 @@ static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *=
req)
     iocb =3D qemu_aio_get(&nvme_flush_aiocb_info, NULL, nvme_misc_cb, req);
=20
     iocb->req =3D req;
-    iocb->bh =3D qemu_bh_new(nvme_flush_bh, iocb);
     iocb->ret =3D 0;
     iocb->ns =3D NULL;
     iocb->nsid =3D 0;
@@ -3280,13 +3273,11 @@ static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest=
 *req)
     }
=20
     req->aiocb =3D &iocb->common;
-    qemu_bh_schedule(iocb->bh);
+    nvme_do_flush(iocb);
=20
     return NVME_NO_COMPLETE;
=20
 out:
-    qemu_bh_delete(iocb->bh);
-    iocb->bh =3D NULL;
     qemu_aio_unref(iocb);
=20
     return status;
--=20
2.38.1
From nobody Tue Apr 23 13:49:11 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1669104897148716.6815688444344;
 Tue, 22 Nov 2022 00:14:57 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1oxOPw-0002Re-60; Tue, 22 Nov 2022 03:14:08 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPt-0002Qd-Mp; Tue, 22 Nov 2022 03:14:05 -0500
Received: from wout3-smtp.messagingengine.com ([64.147.123.19])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPr-00032O-2t; Tue, 22 Nov 2022 03:14:05 -0500
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailout.west.internal (Postfix) with ESMTP id 10F3D32006F5;
 Tue, 22 Nov 2022 03:14:00 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute2.internal (MEProxy); Tue, 22 Nov 2022 03:14:01 -0500
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 22 Nov 2022 03:13:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk;
 h=cc:cc:content-transfer-encoding:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=fm3; t=1669104840; x=
 1669191240; bh=B56DPERl8CnD26jP56nVQriCz1nPl+8gf+cVseZCaP0=; b=L
 PUwGkKcx4i/SdxMlUl8hM6778w0aeRQQWdySiFoNrYj6fvfsD1zTA+qSAwn9eEkT
 GBs0SY0n084qdD0tEfO2+BLPGOe61LBb7lS6H4UTCTg4UiWyc7eP7/EPonD6rgbI
 mssCHajNEdZJpud+joQ0Q4VYphgGoaFnG53S0MciXBzytODACphGpRn+YNK3mFdV
 qPFjMm6SRdb1jLooBs/EUy3Qrqqv7urYemwFwamopyab6iapmGhcfuDiA971z/v3
 8ebI2L2QdMs9gcSWALMOBbD539E5OaXyt86s+10f1DHbrjYzfScxTvE0rUBfF0ME
 eGd7+fqPxBFz4VN3Fa5Nw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1669104840; x=1669191240; bh=B56DPERl8CnD2
 6jP56nVQriCz1nPl+8gf+cVseZCaP0=; b=Z4wWCWYu/Dtk3apwRezNpC3sG8bWs
 Pq3Nmy9FjQ4/A+rGa0KGOjfTun3TbS2m2E7TpEaS8fJem1frwU6zHIvQyhL1EMuS
 VHEUL5ZaVU0Bf7afXgUrkqxOIPYRc+XUkUx2TWol79b/vh9vliGEYW0y6SnENQ9Z
 HtK1y8jlhH0XTWbjb8EZzqnRBlnCMCn8nIMZ8I94z3dEU/y/vW+i6q+R2+jq8dTw
 8BCD2/ERy73R3VpHQLNL4ngLAWVyPs3IMGD6OWfEoodHgdrk0Kjvdzzu/0Wx8lBN
 GsmO0PbQueWbzvRxY1gm/86wefuT+qskonyMGTp+At+kg3mFi7mAovlcw==
X-ME-Sender: <xms:yIR8Y02aNbyjr4vKIs43nk-GXKYcoMikq3YAjrKamjFAI4SYcner8g>
 <xme:yIR8Y_H8ZZjNX_nw4AyTuvijI36qQaDvdODmgCMP6Vu2wXnkMSOnpyvOlgJ7bOfRc
 afOkC3Uz6XQzHmt8C0>
X-ME-Received: 
 <xmr:yIR8Y86QOahvG6MvdumPa9xR0g4tmVJa0urhAvWokQD6eRH6Er0Y9ybEDUs80RuIuLhID5ILsM7JnF7FkDfqffTIcU4H7hxmvj-35Q>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvgedrheejgdduvddtucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhlrghu
 shculfgvnhhsvghnuceoihhtshesihhrrhgvlhgvvhgrnhhtrdgukheqnecuggftrfgrth
 htvghrnhepjefgieelgfeiveehkeeuveehheekfeevgeeigfehfefgjeejhefffeegudej
 udegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepih
 htshesihhrrhgvlhgvvhgrnhhtrdgukh
X-ME-Proxy: <xmx:yIR8Y90nZ79T3fQJKfC5dJaMr8QklpfpF-Tmub8hhaUBxeJIfNQeLQ>
 <xmx:yIR8Y3FLvM62frJuTMtYcNyMFCPb58a_IW_v1j1kIS7_PG-dDb_IZA>
 <xmx:yIR8Y29BBj1013qVzqFKDH5xig4WI6FFgw0tNQilRXylZxQpIqyVrQ>
 <xmx:yIR8Y_DFJQzcvz3I8nCE9dYyeVoNvGF1vbq2tzb140eh7VcRIZ_ADA>
Feedback-ID: idc91472f:Fastmail
From: Klaus Jensen <its@irrelevant.dk>
To: qemu-devel@nongnu.org
Cc: Keith Busch <kbusch@kernel.org>, Klaus Jensen <its@irrelevant.dk>,
 qemu-block@nongnu.org, Klaus Jensen <k.jensen@samsung.com>
Subject: [PATCH for-7.2 3/5] hw/nvme: fix aio cancel in zone reset
Date: Tue, 22 Nov 2022 09:13:46 +0100
Message-Id: <20221122081348.49963-4-its@irrelevant.dk>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221122081348.49963-1-its@irrelevant.dk>
References: <20221122081348.49963-1-its@irrelevant.dk>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3230; i=k.jensen@samsung.com;
 h=from:subject; bh=C91tk6BQIFBtxXFmTqXf7JFgoOaGm2gm4YWNTxSAIlg=;
 b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGN8hLxJvwuQuwCezN4dRvN/HPn0mxpw7kGiYzEr
 WbaEYt3/1YkBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjfIS8AAoJEE3hrzFtTw3pyN
 YH/2jQv6lv0BwB/a+cpigABiUFyomUkypGLXopPIaXiZLF9HRbmj+m6lcGECZAVmy8RQp6WR/+/deU
 WkGXtiI3R8+hOcaRQEzu/6RwqIDzWSX7HpDHWq/Ylcq8JaX8IxNtQnvGNahFpTb3DuVh8icSYIXM5v
 kmHRfOUJhFr4EKW02UdMWy0XSdeX17T6kS+yB0OcF+Eqjju6VmDJ9WplXvg0znctzTfpHocnilnxyA
 QgXGuga8kOK3Jbr5zk6d3TpmzFoFJgGWKXy0HJYt1l5zdBPnpA9fgxTLcQzbaGrndyS4EoVJO1mP0K
 dU7022gteuypV6Rok1y+V2z37lBSnvm9yA86uN
X-Developer-Key: i=k.jensen@samsung.com; a=openpgp;
 fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=64.147.123.19; envelope-from=its@irrelevant.dk;
 helo=wout3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1669104899716100003
Content-Type: text/plain; charset="utf-8"

From: Klaus Jensen <k.jensen@samsung.com>

If the zone reset operation is cancelled but the block unmap operation
completes normally, the callback will continue resetting the next zone
since it neglects to check iocb->ret which will have been set to
-ECANCELED. Make sure that this is checked and bail out if an error is
present.

Secondly, fix a potential use-after-free by removing the bottom half and
enqueuing the completion directly.

Fixes: 63d96e4ffd71 ("hw/nvme: reimplement zone reset to allow cancellation=
")
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/nvme/ctrl.c | 36 +++++++++++-------------------------
 1 file changed, 11 insertions(+), 25 deletions(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index fc129b8d1a93..558ccea154c2 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -3712,7 +3712,6 @@ typedef struct NvmeZoneResetAIOCB {
     BlockAIOCB common;
     BlockAIOCB *aiocb;
     NvmeRequest *req;
-    QEMUBH *bh;
     int ret;
=20
     bool all;
@@ -3741,17 +3740,6 @@ static const AIOCBInfo nvme_zone_reset_aiocb_info =
=3D {
     .cancel_async =3D nvme_zone_reset_cancel,
 };
=20
-static void nvme_zone_reset_bh(void *opaque)
-{
-    NvmeZoneResetAIOCB *iocb =3D opaque;
-
-    iocb->common.cb(iocb->common.opaque, iocb->ret);
-
-    qemu_bh_delete(iocb->bh);
-    iocb->bh =3D NULL;
-    qemu_aio_unref(iocb);
-}
-
 static void nvme_zone_reset_cb(void *opaque, int ret);
=20
 static void nvme_zone_reset_epilogue_cb(void *opaque, int ret)
@@ -3762,14 +3750,8 @@ static void nvme_zone_reset_epilogue_cb(void *opaque=
, int ret)
     int64_t moff;
     int count;
=20
-    if (ret < 0) {
-        nvme_zone_reset_cb(iocb, ret);
-        return;
-    }
-
-    if (!ns->lbaf.ms) {
-        nvme_zone_reset_cb(iocb, 0);
-        return;
+    if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) {
+        goto out;
     }
=20
     moff =3D nvme_moff(ns, iocb->zone->d.zslba);
@@ -3779,6 +3761,9 @@ static void nvme_zone_reset_epilogue_cb(void *opaque,=
 int ret)
                                         BDRV_REQ_MAY_UNMAP,
                                         nvme_zone_reset_cb, iocb);
     return;
+
+out:
+    nvme_zone_reset_cb(iocb, ret);
 }
=20
 static void nvme_zone_reset_cb(void *opaque, int ret)
@@ -3787,7 +3772,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret)
     NvmeRequest *req =3D iocb->req;
     NvmeNamespace *ns =3D req->ns;
=20
-    if (ret < 0) {
+    if (iocb->ret < 0) {
+        goto done;
+    } else if (ret < 0) {
         iocb->ret =3D ret;
         goto done;
     }
@@ -3835,9 +3822,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret)
=20
 done:
     iocb->aiocb =3D NULL;
-    if (iocb->bh) {
-        qemu_bh_schedule(iocb->bh);
-    }
+
+    iocb->common.cb(iocb->common.opaque, iocb->ret);
+    qemu_aio_unref(iocb);
 }
=20
 static uint16_t nvme_zone_mgmt_send_zrwa_flush(NvmeCtrl *n, NvmeZone *zone,
@@ -3942,7 +3929,6 @@ static uint16_t nvme_zone_mgmt_send(NvmeCtrl *n, Nvme=
Request *req)
                            nvme_misc_cb, req);
=20
         iocb->req =3D req;
-        iocb->bh =3D qemu_bh_new(nvme_zone_reset_bh, iocb);
         iocb->ret =3D 0;
         iocb->all =3D all;
         iocb->idx =3D zone_idx;
--=20
2.38.1
From nobody Tue Apr 23 13:49:11 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1669104964527999.5098754220288;
 Tue, 22 Nov 2022 00:16:04 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1oxOQ2-0002Tt-07; Tue, 22 Nov 2022 03:14:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPv-0002RC-FP; Tue, 22 Nov 2022 03:14:07 -0500
Received: from wout3-smtp.messagingengine.com ([64.147.123.19])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPt-00032v-MP; Tue, 22 Nov 2022 03:14:07 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.west.internal (Postfix) with ESMTP id AB2E132002B6;
 Tue, 22 Nov 2022 03:14:03 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Tue, 22 Nov 2022 03:14:04 -0500
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 22 Nov 2022 03:14:01 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk;
 h=cc:cc:content-transfer-encoding:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=fm3; t=1669104843; x=
 1669191243; bh=19+JcQJz8OGRNx+DEe6qd8mFw8jZ5kXEzjb0xplNbBU=; b=o
 mexs6sukAqIgdfVobiBOtjaglo9fJvcra6nYN5LfAO3uULyyLZCUMxT58mecvXSq
 KK3kO1L/dWAvIsUGUD7ewRC9BiWIWLS2tFmAiKjPuDL67R4EmDrQ2EwYLjOlti+a
 7i0R7FTHgFqcxL5/tBJdkwgpIUi/TzGQy06rbvZtIbQX3GqYTL9UOD2XR6+G1c2S
 Y48O+E4hPr+mUahml4ecXPGp+jmge3r7WO5sT45P4K6Ppb55yz8lYTUCAdqk9kMp
 ZBeyLeMxHV2UyBPKu2GSZ6t5aHs+G37LIdDZQwza9HuWf+z31ZpA9YdcSzuXeWF3
 0kF2+sXuFFfSxuyxk4WgQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1669104843; x=1669191243; bh=19+JcQJz8OGRN
 x+DEe6qd8mFw8jZ5kXEzjb0xplNbBU=; b=lLqHNX+sP5dhbrecdaXX2LyHnVN/o
 gHxSdGAlthaECTdmunB/kuxSJKFeRio6fKbmmvV5e+JkZWF7UrWCzliyG03LUP41
 qPDXhSc1h0ECNoZ+u4QEBFLe7etoE3sabDf9ogwRu/2XG/WX1XhbjjUmHgii9pWn
 NUT96RdxNh7W1GPSLGuJEaN9cZ+aUcNkKistRWJGfLfoiHlqXVQQr3Wu5+dupq3U
 2sENdRlki8d3ArogPwAnka+tO1Yw3Fa3f6Ro7B9Zl2o7k02Hq4xCGbmEv1Ag0eDZ
 JveNfVLH9Ixp6RCEqJCaylltnDytTvkEMaYW2JArfnd5/2NtVi5SKjSRA==
X-ME-Sender: <xms:y4R8Y09OAPC7UwZlLgydUyicFieM_5mE84fnFB8JxKKBGzwpioQ-qQ>
 <xme:y4R8Y8ttRnHUx13Z-hv8Rh0eOTNrAgD8t9BJyOu4qjthq7cRcjQy9jWAZgpjAUow6
 gnHUn96iI6Xkt6yOUg>
X-ME-Received: 
 <xmr:y4R8Y6B5Jbqy7c3yf80t3LIi8fJCztTgD9kJbqq42cLk1x43qgUq66b9tvnnvr82JOVRlhdIN3YbHC1nQiyVHEIvc6dQUligT3-Yaw>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvgedrheejgdduudelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhlrghu
 shculfgvnhhsvghnuceoihhtshesihhrrhgvlhgvvhgrnhhtrdgukheqnecuggftrfgrth
 htvghrnhepjefgieelgfeiveehkeeuveehheekfeevgeeigfehfefgjeejhefffeegudej
 udegnecuvehluhhsthgvrhfuihiivgepvdenucfrrghrrghmpehmrghilhhfrhhomhepih
 htshesihhrrhgvlhgvvhgrnhhtrdgukh
X-ME-Proxy: <xmx:y4R8Y0f1nRFt-i4sOuZRI9SiS0zPMG-fvCj1w4q9647s0OZ1RbkU5g>
 <xmx:y4R8Y5P9VlZLrfsy7usvjOBfjuLrfEYsSd6_ld-n1xF6nyTCa7U-vQ>
 <xmx:y4R8Y-mlRqksY8Rg7ZjyGGSfCg8vyYdXnDxTWUzpf5fnmDj3oWu8Kw>
 <xmx:y4R8Y6p_fEoP6oumN1IMpvAo5Czp0eElySOF9wOxIa-0RVlQ2Skgxw>
Feedback-ID: idc91472f:Fastmail
From: Klaus Jensen <its@irrelevant.dk>
To: qemu-devel@nongnu.org
Cc: Keith Busch <kbusch@kernel.org>, Klaus Jensen <its@irrelevant.dk>,
 qemu-block@nongnu.org, Klaus Jensen <k.jensen@samsung.com>
Subject: [PATCH for-7.2 4/5] hw/nvme: fix aio cancel in dsm
Date: Tue, 22 Nov 2022 09:13:47 +0100
Message-Id: <20221122081348.49963-5-its@irrelevant.dk>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221122081348.49963-1-its@irrelevant.dk>
References: <20221122081348.49963-1-its@irrelevant.dk>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3627; i=k.jensen@samsung.com;
 h=from:subject; bh=O11j7sDiUuM+RZRBMoCDohuJayZJWfGJA8VTmkgIIV0=;
 b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGN8hLyFjy6L5vC8VpnA2G1Ps7IBctGgL1MhOv0S
 SLq+efDdfYkBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjfIS8AAoJEE3hrzFtTw3p8j
 QH/RKLhm3J1V1/Fyky1KrJxymjtgzGto0SLsmjKGoGxQT5JmM0qBwFUNhrWSxYniUeB2f25tASWUCD
 aHzfxu3X8wtNbbPycdzU37kVU2PKYvZlMHbkL/YWjE4Tb59zEPflg4QBm8K5intJ+PGCzTZorcYpKl
 omb1X/J0ZYVAAM7Tqz8pQSe1lr4YDx/QkDvDJ7ny0kVVtns1ED76zDKSITJ7p9wMMwHlXV9q99F+pV
 zBNDrfGG3Pi0pQuFc1B0L3rfTZ73oD7EzB97WmuWGv32VRyxg7a25lLxM7h8Wg+QSVLzNO1lLCL67Y
 sXh6YreuiXMwrn3EbUaCegQfpz2CEvL419lqou
X-Developer-Key: i=k.jensen@samsung.com; a=openpgp;
 fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=64.147.123.19; envelope-from=its@irrelevant.dk;
 helo=wout3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1669104965558100003
Content-Type: text/plain; charset="utf-8"

From: Klaus Jensen <k.jensen@samsung.com>

When the DSM operation is cancelled asynchronously, we set iocb->ret to
-ECANCELED. However, the callback function only checks the return value
of the completed aio, which may have completed succesfully prior to the
cancellation and thus the callback ends up continuing the dsm operation
instead of bailing out. Fix this.

Secondly, fix a potential use-after-free by removing the bottom half and
enqueuing the completion directly.

Fixes: d7d1474fd85d ("hw/nvme: reimplement dsm to allow cancellation")
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/nvme/ctrl.c | 34 ++++++++--------------------------
 1 file changed, 8 insertions(+), 26 deletions(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 558ccea154c2..458c85d47cce 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -2329,7 +2329,6 @@ typedef struct NvmeDSMAIOCB {
     BlockAIOCB common;
     BlockAIOCB *aiocb;
     NvmeRequest *req;
-    QEMUBH *bh;
     int ret;
=20
     NvmeDsmRange *range;
@@ -2351,7 +2350,7 @@ static void nvme_dsm_cancel(BlockAIOCB *aiocb)
     } else {
         /*
          * We only reach this if nvme_dsm_cancel() has already been called=
 or
-         * the command ran to completion and nvme_dsm_bh is scheduled to r=
un.
+         * the command ran to completion.
          */
         assert(iocb->idx =3D=3D iocb->nr);
     }
@@ -2362,17 +2361,6 @@ static const AIOCBInfo nvme_dsm_aiocb_info =3D {
     .cancel_async =3D nvme_dsm_cancel,
 };
=20
-static void nvme_dsm_bh(void *opaque)
-{
-    NvmeDSMAIOCB *iocb =3D opaque;
-
-    iocb->common.cb(iocb->common.opaque, iocb->ret);
-
-    qemu_bh_delete(iocb->bh);
-    iocb->bh =3D NULL;
-    qemu_aio_unref(iocb);
-}
-
 static void nvme_dsm_cb(void *opaque, int ret);
=20
 static void nvme_dsm_md_cb(void *opaque, int ret)
@@ -2384,16 +2372,10 @@ static void nvme_dsm_md_cb(void *opaque, int ret)
     uint64_t slba;
     uint32_t nlb;
=20
-    if (ret < 0) {
-        iocb->ret =3D ret;
+    if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) {
         goto done;
     }
=20
-    if (!ns->lbaf.ms) {
-        nvme_dsm_cb(iocb, 0);
-        return;
-    }
-
     range =3D &iocb->range[iocb->idx - 1];
     slba =3D le64_to_cpu(range->slba);
     nlb =3D le32_to_cpu(range->nlb);
@@ -2406,7 +2388,6 @@ static void nvme_dsm_md_cb(void *opaque, int ret)
     ret =3D nvme_block_status_all(ns, slba, nlb, BDRV_BLOCK_ZERO);
     if (ret) {
         if (ret < 0) {
-            iocb->ret =3D ret;
             goto done;
         }
=20
@@ -2420,8 +2401,7 @@ static void nvme_dsm_md_cb(void *opaque, int ret)
     return;
=20
 done:
-    iocb->aiocb =3D NULL;
-    qemu_bh_schedule(iocb->bh);
+    nvme_dsm_cb(iocb, ret);
 }
=20
 static void nvme_dsm_cb(void *opaque, int ret)
@@ -2434,7 +2414,9 @@ static void nvme_dsm_cb(void *opaque, int ret)
     uint64_t slba;
     uint32_t nlb;
=20
-    if (ret < 0) {
+    if (iocb->ret < 0) {
+        goto done;
+    } else if (ret < 0) {
         iocb->ret =3D ret;
         goto done;
     }
@@ -2468,7 +2450,8 @@ next:
=20
 done:
     iocb->aiocb =3D NULL;
-    qemu_bh_schedule(iocb->bh);
+    iocb->common.cb(iocb->common.opaque, iocb->ret);
+    qemu_aio_unref(iocb);
 }
=20
 static uint16_t nvme_dsm(NvmeCtrl *n, NvmeRequest *req)
@@ -2486,7 +2469,6 @@ static uint16_t nvme_dsm(NvmeCtrl *n, NvmeRequest *re=
q)
                                          nvme_misc_cb, req);
=20
         iocb->req =3D req;
-        iocb->bh =3D qemu_bh_new(nvme_dsm_bh, iocb);
         iocb->ret =3D 0;
         iocb->range =3D g_new(NvmeDsmRange, nr);
         iocb->nr =3D nr;
--=20
2.38.1
From nobody Tue Apr 23 13:49:11 2024
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1669104966822917.1823769517971;
 Tue, 22 Nov 2022 00:16:06 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1oxOQ3-0002V5-Ng; Tue, 22 Nov 2022 03:14:15 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPy-0002Ts-27; Tue, 22 Nov 2022 03:14:13 -0500
Received: from wout3-smtp.messagingengine.com ([64.147.123.19])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <its@irrelevant.dk>)
 id 1oxOPw-00033Q-7k; Tue, 22 Nov 2022 03:14:09 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id 4546532002F9;
 Tue, 22 Nov 2022 03:14:06 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Tue, 22 Nov 2022 03:14:06 -0500
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 22 Nov 2022 03:14:04 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk;
 h=cc:cc:content-transfer-encoding:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=fm3; t=1669104845; x=
 1669191245; bh=j7y/MWN6fNT+OKWecTnjw0YE7RbwUbItNh/m0jJTFLU=; b=d
 LYkpc5puOQtBT8RbCs6y7RQmxXguaHoDAVzAa8FgMoz0AYFIB5GrQCIrd1WnzIB4
 Kpnvuw44QiKvBuIZ+4QVBut4AkulYJbgDwOm3CtQbp3qduCEkC/V+kZ3CV8etLZm
 Vp8O2F7y6vE/uBu+m73Fowrq7M2uo8jX0Vs3BNA2dq2t2kaC5oZ001nocuRKm/4q
 v56IeUvRoF9rzbzJeBkVonDKHZFCqgJ1+nY6EhrzZDghJj5tpkAX6Tzjb6jJBP1M
 fwsRucUok1T9qtz1V9+sw6bPoVOIj0T87weubEng6JyLnUygZejhKBXwuuWFbOwr
 WcP0lkXi4xzxOaP7inezw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; t=1669104845; x=1669191245; bh=j7y/MWN6fNT+O
 KWecTnjw0YE7RbwUbItNh/m0jJTFLU=; b=HmCLVDRhn9y0iFkL7RBCUOboGs9+Y
 E04icGeuCziYyukmPFrhWo/W52XQaVAqzBCKte1BZQ1zV1mvD+ZNpMFw21LTpkcM
 O0lQ+h84uFOJs5ArYFY0BJgco4xLovJMTY9RgW5upgOlSoeIltId5Kpv+be71dc5
 AjE5PvAvU69qqJ7XDiVClocBt3mjq0/69I98q0S3Wp3L940qZe28VnI51hs5+I7J
 yAteGcCfhnoqFKMPqKrozRA5NWXUesLKrKZmihSu+olpxocEMCa8gWWTDLjGXKzh
 a03+86rMP8qYyiTNEYui87WMj60hcg2B0YEjbl6Tec8JEKikwQ1gozqXg==
X-ME-Sender: <xms:zYR8Y0679Vm9GN9Db5XmENGYChUtifH3pUN8PM6C277fIj3ZJzlwcQ>
 <xme:zYR8Y17wxqsXtSFofRawj5f2Xk6q37dK6eAi-tq7pug3ceIdQyzfsbTUNIrl-j9Yz
 cJfoROn1YEs1JtBIuk>
X-ME-Received: 
 <xmr:zYR8YzcksfHVAU-zht6GtyfW32w4S6VO4JezJjRxpTNtTxBiv3DGpGfQkaOprGAUlJ41aiL2S2pLScLvZfUcF9bMI-kUORDH-IqNow>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvgedrheejgdduudelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhlrghu
 shculfgvnhhsvghnuceoihhtshesihhrrhgvlhgvvhgrnhhtrdgukheqnecuggftrfgrth
 htvghrnhepjefgieelgfeiveehkeeuveehheekfeevgeeigfehfefgjeejhefffeegudej
 udegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepih
 htshesihhrrhgvlhgvvhgrnhhtrdgukh
X-ME-Proxy: <xmx:zYR8Y5JBjWigq6L5R-7CNsYL_j3jFPNbQ4O6SnCjGO0JYeN1OwPzfQ>
 <xmx:zYR8Y4Lb6bdMgGkCHVjD2O2XU3Sv02pe5Ib3h_EwG133HXyVmHmwqA>
 <xmx:zYR8Y6zehwJeNpL6-YWObaHNrnraSbaPTYPaaVyOt3QxXGgKfbjBqQ>
 <xmx:zYR8Y83tVJ_-pbeNt_3k8oQvaW-5LwaVoN-LeDLTs70qJG0fMtEPBQ>
Feedback-ID: idc91472f:Fastmail
From: Klaus Jensen <its@irrelevant.dk>
To: qemu-devel@nongnu.org
Cc: Keith Busch <kbusch@kernel.org>, Klaus Jensen <its@irrelevant.dk>,
 qemu-block@nongnu.org, Klaus Jensen <k.jensen@samsung.com>
Subject: [PATCH for-7.2 5/5] hw/nvme: remove copy bh scheduling
Date: Tue, 22 Nov 2022 09:13:48 +0100
Message-Id: <20221122081348.49963-6-its@irrelevant.dk>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221122081348.49963-1-its@irrelevant.dk>
References: <20221122081348.49963-1-its@irrelevant.dk>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=5187; i=k.jensen@samsung.com;
 h=from:subject; bh=r8xt28hL2XjHXyCxH8P3dGAxaIUzlrpd/Tbu7TX7HXs=;
 b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGN8hLwM/deV7QbdUrZi96C52YR0lc86vwT0dQ+w
 xtsh3hL904kBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjfIS8AAoJEE3hrzFtTw3pRV
 wIAL+nRYyp2s+8BTVEZcJSb9w0H5EdmnvIzra258SnLbjf7FBVd1DINbX3CRaI7PheDjU3HWSwTUiD
 T8JYDfhQ9vsF0HUzcr35zuAit9ebJ11QkhMv0Ibrh8h7r/nrJof5qgGUJ8l4FZrHDRL6WUlgsz2kc5
 280gOpG4h1CZfcTOg67TIXlWUPLaV4cj1+km0F1Ib5Ro7J0EH6/evYURRPeLHwgiprpBQhI9aoGn1t
 uMaRaRtTdL9UOuaSnp1zoR21dxiR01nyPpoWmOgeHM7sDQxwGwkEwciLOdJM0xhmQGFp4rcwoqnd5+
 BY1WRodvMvkQ3GGADGanRTpBZnEM7B0McWsazD
X-Developer-Key: i=k.jensen@samsung.com; a=openpgp;
 fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=64.147.123.19; envelope-from=its@irrelevant.dk;
 helo=wout3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1669104967619100007
Content-Type: text/plain; charset="utf-8"

From: Klaus Jensen <k.jensen@samsung.com>

Fix a potential use-after-free by removing the bottom half and enqueuing
the completion directly.

Fixes: 796d20681d9b ("hw/nvme: reimplement the copy command to allow aio ca=
ncellation")
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/nvme/ctrl.c | 63 +++++++++++---------------------------------------
 1 file changed, 14 insertions(+), 49 deletions(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 458c85d47cce..bbbab522aa7a 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -2552,7 +2552,6 @@ typedef struct NvmeCopyAIOCB {
     BlockAIOCB common;
     BlockAIOCB *aiocb;
     NvmeRequest *req;
-    QEMUBH *bh;
     int ret;
=20
     void *ranges;
@@ -2590,9 +2589,8 @@ static const AIOCBInfo nvme_copy_aiocb_info =3D {
     .cancel_async =3D nvme_copy_cancel,
 };
=20
-static void nvme_copy_bh(void *opaque)
+static void nvme_copy_done(NvmeCopyAIOCB *iocb)
 {
-    NvmeCopyAIOCB *iocb =3D opaque;
     NvmeRequest *req =3D iocb->req;
     NvmeNamespace *ns =3D req->ns;
     BlockAcctStats *stats =3D blk_get_stats(ns->blkconf.blk);
@@ -2604,9 +2602,6 @@ static void nvme_copy_bh(void *opaque)
     qemu_iovec_destroy(&iocb->iov);
     g_free(iocb->bounce);
=20
-    qemu_bh_delete(iocb->bh);
-    iocb->bh =3D NULL;
-
     if (iocb->ret < 0) {
         block_acct_failed(stats, &iocb->acct.read);
         block_acct_failed(stats, &iocb->acct.write);
@@ -2619,7 +2614,7 @@ static void nvme_copy_bh(void *opaque)
     qemu_aio_unref(iocb);
 }
=20
-static void nvme_copy_cb(void *opaque, int ret);
+static void nvme_do_copy(NvmeCopyAIOCB *iocb);
=20
 static void nvme_copy_source_range_parse_format0(void *ranges, int idx,
                                                  uint64_t *slba, uint32_t =
*nlb,
@@ -2731,7 +2726,7 @@ static void nvme_copy_out_completed_cb(void *opaque, =
int ret)
     iocb->idx++;
     iocb->slba +=3D nlb;
 out:
-    nvme_copy_cb(iocb, iocb->ret);
+    nvme_do_copy(iocb);
 }
=20
 static void nvme_copy_out_cb(void *opaque, int ret)
@@ -2743,16 +2738,8 @@ static void nvme_copy_out_cb(void *opaque, int ret)
     size_t mlen;
     uint8_t *mbounce;
=20
-    if (ret < 0) {
-        iocb->ret =3D ret;
+    if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) {
         goto out;
-    } else if (iocb->ret < 0) {
-        goto out;
-    }
-
-    if (!ns->lbaf.ms) {
-        nvme_copy_out_completed_cb(iocb, 0);
-        return;
     }
=20
     nvme_copy_source_range_parse(iocb->ranges, iocb->idx, iocb->format, NU=
LL,
@@ -2771,7 +2758,7 @@ static void nvme_copy_out_cb(void *opaque, int ret)
     return;
=20
 out:
-    nvme_copy_cb(iocb, ret);
+    nvme_copy_out_completed_cb(iocb, ret);
 }
=20
 static void nvme_copy_in_completed_cb(void *opaque, int ret)
@@ -2865,15 +2852,9 @@ static void nvme_copy_in_completed_cb(void *opaque, =
int ret)
=20
 invalid:
     req->status =3D status;
-    iocb->aiocb =3D NULL;
-    if (iocb->bh) {
-        qemu_bh_schedule(iocb->bh);
-    }
-
-    return;
-
+    iocb->ret =3D -1;
 out:
-    nvme_copy_cb(iocb, ret);
+    nvme_do_copy(iocb);
 }
=20
 static void nvme_copy_in_cb(void *opaque, int ret)
@@ -2884,16 +2865,8 @@ static void nvme_copy_in_cb(void *opaque, int ret)
     uint64_t slba;
     uint32_t nlb;
=20
-    if (ret < 0) {
-        iocb->ret =3D ret;
+    if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) {
         goto out;
-    } else if (iocb->ret < 0) {
-        goto out;
-    }
-
-    if (!ns->lbaf.ms) {
-        nvme_copy_in_completed_cb(iocb, 0);
-        return;
     }
=20
     nvme_copy_source_range_parse(iocb->ranges, iocb->idx, iocb->format, &s=
lba,
@@ -2909,12 +2882,11 @@ static void nvme_copy_in_cb(void *opaque, int ret)
     return;
=20
 out:
-    nvme_copy_cb(iocb, iocb->ret);
+    nvme_copy_in_completed_cb(iocb, ret);
 }
=20
-static void nvme_copy_cb(void *opaque, int ret)
+static void nvme_do_copy(NvmeCopyAIOCB *iocb)
 {
-    NvmeCopyAIOCB *iocb =3D opaque;
     NvmeRequest *req =3D iocb->req;
     NvmeNamespace *ns =3D req->ns;
     uint64_t slba;
@@ -2922,10 +2894,7 @@ static void nvme_copy_cb(void *opaque, int ret)
     size_t len;
     uint16_t status;
=20
-    if (ret < 0) {
-        iocb->ret =3D ret;
-        goto done;
-    } else if (iocb->ret < 0) {
+    if (iocb->ret < 0) {
         goto done;
     }
=20
@@ -2972,14 +2941,11 @@ static void nvme_copy_cb(void *opaque, int ret)
=20
 invalid:
     req->status =3D status;
+    iocb->ret =3D -1;
 done:
-    iocb->aiocb =3D NULL;
-    if (iocb->bh) {
-        qemu_bh_schedule(iocb->bh);
-    }
+    nvme_copy_done(iocb);
 }
=20
-
 static uint16_t nvme_copy(NvmeCtrl *n, NvmeRequest *req)
 {
     NvmeNamespace *ns =3D req->ns;
@@ -3049,7 +3015,6 @@ static uint16_t nvme_copy(NvmeCtrl *n, NvmeRequest *r=
eq)
     }
=20
     iocb->req =3D req;
-    iocb->bh =3D qemu_bh_new(nvme_copy_bh, iocb);
     iocb->ret =3D 0;
     iocb->nr =3D nr;
     iocb->idx =3D 0;
@@ -3066,7 +3031,7 @@ static uint16_t nvme_copy(NvmeCtrl *n, NvmeRequest *r=
eq)
                      BLOCK_ACCT_WRITE);
=20
     req->aiocb =3D &iocb->common;
-    nvme_copy_cb(iocb, 0);
+    nvme_do_copy(iocb);
=20
     return NVME_NO_COMPLETE;
=20
--=20
2.38.1