[Qemu-stable] Segfault on block/nbd.c disconnect in QEMU 1.4.1

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] Segfault on block/nbd.c disconnect in QEMU 1.4.1

From:	Stefan Hajnoczi
Subject:	[Qemu-stable] Segfault on block/nbd.c disconnect in QEMU 1.4.1
Date:	Wed, 8 May 2013 21:54:14 +0200

Hi Nick,
The segfault you reported on IRC has been fixed in qemu.git/master by
the following commit:

  commit 6760c47aa42ce30efdd12c132f73c8749c575995
  Author: Stefan Hajnoczi <address@hidden>
  Date:   Mon Apr 15 16:14:46 2013 +0200

      nbd: unlock mutex in nbd_co_send_request() error path

QEMU 1.5-rc0 includes the fix.  If there is a 1.4.2 release, then I
suggest including this patch.

I was able to trigger the segfault with multiple dd processes writing
to the NBD disk inside the guest.  It was not possible to trigger the
segfault with a single dd process alone.

Before the fix is applied, the broken error code path leaves
s->send_coroutine assigned when in fact it should be cleared.  It also
leaves the fd handler registered.

As a result, the main loop picks up the socket close event and invokes
nbd_restart_write(), which will enter a coroutine which has already
been freed.  This is the point where we see the bizarre segfault.

Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] Segfault on block/nbd.c disconnect in QEMU 1.4.1, Stefan Hajnoczi <=

Prev by Date: [Qemu-stable] connectivity problem with Windows 7 + heavy network-traffic
Next by Date: Re: [Qemu-stable] [PATCH for 1.5] tcg/optimize: fix setcond2 optimization
Previous by thread: [Qemu-stable] connectivity problem with Windows 7 + heavy network-traffic
Next by thread: Re: [Qemu-stable] [PATCH for 1.5] tcg/optimize: fix setcond2 optimization
Index(es):
- Date
- Thread