From patchwork Thu Dec 1 16:50:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klaus Jensen X-Patchwork-Id: 1711097 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=irrelevant.dk header.i=@irrelevant.dk header.a=rsa-sha256 header.s=fm3 header.b=oQGj3QfN; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm1 header.b=prO6yo9y; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NNMZL3G2Mz23mf for ; Fri, 2 Dec 2022 03:52:41 +1100 (AEDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p0mlx-0000LE-LY; Thu, 01 Dec 2022 11:50:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlv-0000Hk-DA; Thu, 01 Dec 2022 11:50:51 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlr-00011N-J2; Thu, 01 Dec 2022 11:50:51 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9C8925C00ED; Thu, 1 Dec 2022 11:50:34 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 01 Dec 2022 11:50:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1669913434; x= 1669999834; bh=aBsAVc1/hgYoS+bVs7/fs4McPqJCjBQnvGS+rGu+Sgk=; b=o QGj3QfNJVGRiXeznDsn8NvZIRfC5ICZMPku+NR45Y8kioD9MXshdJfEAITArf8e3 CVfDD/0/GJcPTAPNQu7YoppAy/dFOTscisKMb6JBQXfblNwF4vzF6aHbZOGoPVTo bxSK6E6ZR6PteoY8Ao0WWXpi1zt8HbDBf47JyfApnbDNp71vAwsf0+PQpE0sJh8/ H07chvKtoXlgsEZskWOvpWU94fXELDD/JtNmty1xLIaw+JrBVb0RbHap6YpZIqrV FX26UuvEpOCRIxomogm+Gd+AFmFUAdLxzc8wC9WRW7mACO3b7YKgTHYThYjq4V3O totdHsDWqCsxE803PqtuA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669913434; x=1669999834; bh=aBsAVc1/hgYoS +bVs7/fs4McPqJCjBQnvGS+rGu+Sgk=; b=prO6yo9yhql+He4fhCsgUzUaSW/tc Z5a7+VOEXCcl1k80qck61MtmjuniD8FtyCAtvvUd78Ui+VUuLqkgcXm0yMJhNEbF oP1n6uhTN77K3ULooRQLQyMG/o/nJm7aoGiOG79mzEp4foF8pIIsC5PuaSEC6B6r RdRLlps/XrjPzKrNRFoVkZNKHDQ2wo2rxKb3zit5zyCAMeg4ubZUkZv7Q6yvb8ZK ilVsKPK1kkfr9fXadrxptNsud8RXEhCXsZoA0zSvvWeIDxvJ8+sRcIyTRPEUZSAQ AcCq8kfD4hsBIdfZul4M5lU2P6Hy3pDnI3B+CIp1q+g6FOQfK/0/trq4w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdelfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Dec 2022 11:50:33 -0500 (EST) From: Klaus Jensen To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Keith Busch , Klaus Jensen , Klaus Jensen Subject: [PULL for-7.2 3/5] hw/nvme: fix aio cancel in zone reset Date: Thu, 1 Dec 2022 17:50:22 +0100 Message-Id: <20221201165024.51018-4-its@irrelevant.dk> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221201165024.51018-1-its@irrelevant.dk> References: <20221201165024.51018-1-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3276; i=k.jensen@samsung.com; h=from:subject; bh=j5bs7aBpIoAuFdyTRJ7E5AynZMWe6a8pnc+NNpwHg64=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGOI21BG5RWpZ8GiXSBWupcbBMAHZ7MljYU1xH2M kPtBmFUAEokBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjiNtQAAoJEE3hrzFtTw3pJp cIAJkJvhlphpX74JJyy6a2ZZu7Gl8C0K9/3hJSVJRp7OhaMOu47mNtYu8gUr7hEunEcbhdOKKYTsV/ JliF2SA+4yvgPxRd7Lazj3ENQGGxU0iVbegPtlxjA4D8xNP/nsgKkPd3L0DzkN2sSE9OZFeAzX9PRj 5CNm+LjlLl1qAjM4QNM9jA7ZaFz6os61PIaT9yvtGAseWBERrNqH3Yp3RWfQ7N5u5sUMX/EjyVZogV p/bHA7t27auqiZ6Mq/wtpY5n4Bp1OSUzXcjGtQpZTC3DZCd8JX2Koo0WFxsf27s0roI+hbxwGC4fVH /olm76sq2clZIbxcRCRjFeXo2A8+rB8GOvtaps X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Received-SPF: pass client-ip=66.111.4.27; envelope-from=its@irrelevant.dk; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Klaus Jensen If the zone reset operation is cancelled but the block unmap operation completes normally, the callback will continue resetting the next zone since it neglects to check iocb->ret which will have been set to -ECANCELED. Make sure that this is checked and bail out if an error is present. Secondly, fix a potential use-after-free by removing the bottom half and enqueuing the completion directly. Fixes: 63d96e4ffd71 ("hw/nvme: reimplement zone reset to allow cancellation") Reviewed-by: Keith Busch Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 36 +++++++++++------------------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index fede5af6afd0..bf4abf73f765 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -3712,7 +3712,6 @@ typedef struct NvmeZoneResetAIOCB { BlockAIOCB common; BlockAIOCB *aiocb; NvmeRequest *req; - QEMUBH *bh; int ret; bool all; @@ -3741,17 +3740,6 @@ static const AIOCBInfo nvme_zone_reset_aiocb_info = { .cancel_async = nvme_zone_reset_cancel, }; -static void nvme_zone_reset_bh(void *opaque) -{ - NvmeZoneResetAIOCB *iocb = opaque; - - iocb->common.cb(iocb->common.opaque, iocb->ret); - - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; - qemu_aio_unref(iocb); -} - static void nvme_zone_reset_cb(void *opaque, int ret); static void nvme_zone_reset_epilogue_cb(void *opaque, int ret) @@ -3762,14 +3750,8 @@ static void nvme_zone_reset_epilogue_cb(void *opaque, int ret) int64_t moff; int count; - if (ret < 0) { - nvme_zone_reset_cb(iocb, ret); - return; - } - - if (!ns->lbaf.ms) { - nvme_zone_reset_cb(iocb, 0); - return; + if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) { + goto out; } moff = nvme_moff(ns, iocb->zone->d.zslba); @@ -3779,6 +3761,9 @@ static void nvme_zone_reset_epilogue_cb(void *opaque, int ret) BDRV_REQ_MAY_UNMAP, nvme_zone_reset_cb, iocb); return; + +out: + nvme_zone_reset_cb(iocb, ret); } static void nvme_zone_reset_cb(void *opaque, int ret) @@ -3787,7 +3772,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret) NvmeRequest *req = iocb->req; NvmeNamespace *ns = req->ns; - if (ret < 0) { + if (iocb->ret < 0) { + goto done; + } else if (ret < 0) { iocb->ret = ret; goto done; } @@ -3835,9 +3822,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret) done: iocb->aiocb = NULL; - if (iocb->bh) { - qemu_bh_schedule(iocb->bh); - } + + iocb->common.cb(iocb->common.opaque, iocb->ret); + qemu_aio_unref(iocb); } static uint16_t nvme_zone_mgmt_send_zrwa_flush(NvmeCtrl *n, NvmeZone *zone, @@ -3942,7 +3929,6 @@ static uint16_t nvme_zone_mgmt_send(NvmeCtrl *n, NvmeRequest *req) nvme_misc_cb, req); iocb->req = req; - iocb->bh = qemu_bh_new(nvme_zone_reset_bh, iocb); iocb->ret = 0; iocb->all = all; iocb->idx = zone_idx;