Re: [Qemu-devel] [PATCH] ide: fix double free

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] ide: fix double free

From:	Paolo Bonzini
Subject:	Re: [Qemu-devel] [PATCH] ide: fix double free
Date:	Wed, 02 Jul 2014 15:09:37 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

Il 02/07/2014 14:54, 陈梁 ha scritto:

> The second call should have happened within dma_aio_cancel's call to
> bdrv_aio_cancel.  This is the real bug.

IMO, the second need not happened within dma_aio_cancel's call to 
bdrv_aio_cancel.
The double free will be happened if dam_aio_cancel is called.

The callback must not be invoked after bdrv_aio_cancel. This is thefundamental invariant of bdrv_aio_cancel. All implementations of AIOCBmust respect it, or bugs like this one happen.


Here, either bdrv_aio_cancel was not invoked, or the invariant was broken.

The other invariant, this time in dma-helpers.c, is that dma_bdrv_cbeither exits with no pending AIOCB, or it exits with a non-NULLdbs->acb. If bdrv_aio_cancel was not invoked, this invariant was brokenbecause there is a pending AIOCB but it is not in dbs->acb.


Paolo

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH] ide: fix double free, (continued)

Prev by Date: Re: [Qemu-devel] [PATCH] qemu-img info: show nocow info
Next by Date: Re: [Qemu-devel] [PATCH for-2.1? RFC v11 1/6] block: round up file size to nearest sector
Previous by thread: Re: [Qemu-devel] [PATCH] ide: fix double free
Next by thread: Re: [Qemu-devel] [PATCH] ide: fix double free
Index(es):
- Date
- Thread