[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 06/22] dma-helpers: Fix race condition of continue_af
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 06/22] dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel |
Date: |
Tue, 28 Apr 2015 16:40:13 +0200 |
From: Fam Zheng <address@hidden>
If DMA's owning thread cancels the IO while the bounce buffer's owning thread
is notifying the "cpu client list", a use-after-free happens:
continue_after_map_failure dma_aio_cancel
------------------------------------------------------------------
aio_bh_new
qemu_bh_delete
qemu_bh_schedule (use after free)
Also, the old code doesn't run the bh in the right AioContext.
Fix both problems by passing a QEMUBH to cpu_register_map_client.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
[Remove unnecessary forward declaration. - Paolo]
Signed-off-by: Paolo Bonzini <address@hidden>
---
dma-helpers.c | 17 ++++++++---------
exec.c | 34 +++++++++++++++++++++-------------
include/exec/cpu-common.h | 3 ++-
3 files changed, 31 insertions(+), 23 deletions(-)
diff --git a/dma-helpers.c b/dma-helpers.c
index 6918572..1fddf6a 100644
--- a/dma-helpers.c
+++ b/dma-helpers.c
@@ -92,14 +92,6 @@ static void reschedule_dma(void *opaque)
dma_blk_cb(dbs, 0);
}
-static void continue_after_map_failure(void *opaque)
-{
- DMAAIOCB *dbs = (DMAAIOCB *)opaque;
-
- dbs->bh = qemu_bh_new(reschedule_dma, dbs);
- qemu_bh_schedule(dbs->bh);
-}
-
static void dma_blk_unmap(DMAAIOCB *dbs)
{
int i;
@@ -161,7 +153,9 @@ static void dma_blk_cb(void *opaque, int ret)
if (dbs->iov.size == 0) {
trace_dma_map_wait(dbs);
- cpu_register_map_client(dbs, continue_after_map_failure);
+ dbs->bh = aio_bh_new(blk_get_aio_context(dbs->blk),
+ reschedule_dma, dbs);
+ cpu_register_map_client(dbs->bh);
return;
}
@@ -183,6 +177,11 @@ static void dma_aio_cancel(BlockAIOCB *acb)
if (dbs->acb) {
blk_aio_cancel_async(dbs->acb);
}
+ if (dbs->bh) {
+ cpu_unregister_map_client(dbs->bh);
+ qemu_bh_delete(dbs->bh);
+ dbs->bh = NULL;
+ }
}
diff --git a/exec.c b/exec.c
index 2c87f1d..065f5e8 100644
--- a/exec.c
+++ b/exec.c
@@ -2479,8 +2479,7 @@ typedef struct {
static BounceBuffer bounce;
typedef struct MapClient {
- void *opaque;
- void (*callback)(void *opaque);
+ QEMUBH *bh;
QLIST_ENTRY(MapClient) link;
} MapClient;
@@ -2488,31 +2487,34 @@ QemuMutex map_client_list_lock;
static QLIST_HEAD(map_client_list, MapClient) map_client_list
= QLIST_HEAD_INITIALIZER(map_client_list);
-static void cpu_unregister_map_client(void *_client);
+static void cpu_unregister_map_client_do(MapClient *client)
+{
+ QLIST_REMOVE(client, link);
+ g_free(client);
+}
+
static void cpu_notify_map_clients_locked(void)
{
MapClient *client;
while (!QLIST_EMPTY(&map_client_list)) {
client = QLIST_FIRST(&map_client_list);
- client->callback(client->opaque);
- cpu_unregister_map_client(client);
+ qemu_bh_schedule(client->bh);
+ cpu_unregister_map_client_do(client);
}
}
-void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
+void cpu_register_map_client(QEMUBH *bh)
{
MapClient *client = g_malloc(sizeof(*client));
qemu_mutex_lock(&map_client_list_lock);
- client->opaque = opaque;
- client->callback = callback;
+ client->bh = bh;
QLIST_INSERT_HEAD(&map_client_list, client, link);
if (!atomic_read(&bounce.in_use)) {
cpu_notify_map_clients_locked();
}
qemu_mutex_unlock(&map_client_list_lock);
- return client;
}
void cpu_exec_init_all(void)
@@ -2523,12 +2525,18 @@ void cpu_exec_init_all(void)
qemu_mutex_init(&map_client_list_lock);
}
-static void cpu_unregister_map_client(void *_client)
+void cpu_unregister_map_client(QEMUBH *bh)
{
- MapClient *client = (MapClient *)_client;
+ MapClient *client;
- QLIST_REMOVE(client, link);
- g_free(client);
+ qemu_mutex_lock(&map_client_list_lock);
+ QLIST_FOREACH(client, &map_client_list, link) {
+ if (client->bh == bh) {
+ cpu_unregister_map_client_do(client);
+ break;
+ }
+ }
+ qemu_mutex_unlock(&map_client_list_lock);
}
static void cpu_notify_map_clients(void)
diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
index fcc3162..43428bd 100644
--- a/include/exec/cpu-common.h
+++ b/include/exec/cpu-common.h
@@ -82,7 +82,8 @@ void *cpu_physical_memory_map(hwaddr addr,
int is_write);
void cpu_physical_memory_unmap(void *buffer, hwaddr len,
int is_write, hwaddr access_len);
-void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque));
+void cpu_register_map_client(QEMUBH *bh);
+void cpu_unregister_map_client(QEMUBH *bh);
bool cpu_physical_memory_is_io(hwaddr phys_addr);
--
2.3.5
- [Qemu-devel] [PULL 00/22] Memory, TCG, NBD, build system changes for 2015-04-27, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 01/22] translate-all: use glib for all page descriptor allocations, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 02/22] exec: Atomic access to bounce buffer, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 04/22] exec: Protect map_client_list with mutex, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 03/22] linux-user, bsd-user: Remove two calls to cpu_exec_init_all, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 05/22] exec: Notify cpu_register_map_client caller if the bounce buffer is available, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 06/22] dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel,
Paolo Bonzini <=
- [Qemu-devel] [PULL 07/22] memory: add memory_region_ram_resize, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 08/22] acpi-build: remove dependency from ram_addr.h, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 09/22] sun4m: fix slavio sysctrl and led register sizes, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 10/22] sb16: remove useless mixer_write_indexw, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 11/22] gus: clean up MemoryRegionPortio, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 12/22] ide: there is only one data port, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 13/22] ioport: remove wrong comment, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 14/22] ioport: loosen assertions on emulation of 16-bit ports, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 15/22] ioport: reserve the whole range of an I/O port in the AddressSpace, Paolo Bonzini, 2015/04/28
- [Qemu-devel] [PULL 16/22] exec: Respect as_translate_internal length clamp, Paolo Bonzini, 2015/04/28