From patchwork Mon Aug  6 12:37:54 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avi Kivity <avi@redhat.com>
X-Patchwork-Id: 175334
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 0AFFE2C008D
	for <incoming@patchwork.ozlabs.org>;
	Mon,  6 Aug 2012 22:38:19 +1000 (EST)
Received: from localhost ([::1]:51907 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1SyMZd-0004J0-5V
	for incoming@patchwork.ozlabs.org; Mon, 06 Aug 2012 08:38:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:53400)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avi@redhat.com>) id 1SyMZM-0004HY-Vf
	for qemu-devel@nongnu.org; Mon, 06 Aug 2012 08:38:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <avi@redhat.com>) id 1SyMZL-0005ur-Pb
	for qemu-devel@nongnu.org; Mon, 06 Aug 2012 08:38:00 -0400
Received: from mx1.redhat.com ([209.132.183.28]:34018)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avi@redhat.com>) id 1SyMZL-0005uf-GH
	for qemu-devel@nongnu.org; Mon, 06 Aug 2012 08:37:59 -0400
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q76CbvaZ027170
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Mon, 6 Aug 2012 08:37:57 -0400
Received: from balrog.usersys.tlv.redhat.com (dhcp-4-121.tlv.redhat.com
	[10.35.4.121])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id q76Cbs8Q010841; Mon, 6 Aug 2012 08:37:55 -0400
Message-ID: <501FBAA2.6050205@redhat.com>
Date: Mon, 06 Aug 2012 15:37:54 +0300
From: Avi Kivity <avi@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:14.0) Gecko/20120717 Thunderbird/14.0
MIME-Version: 1.0
To: Stefan Priebe - Profihost AG <s.priebe@profihost.ag>
References: <5017C8A0.60506@profihost.ag> <5017F19E.4070308@redhat.com>
	<501817C9.6090405@profihost.ag> <5018EC7D.9090702@redhat.com>
	<5018F5BB.9070500@profihost.ag> <5018F7E6.4020909@redhat.com>
	<5018F9F6.70307@profihost.ag> <5018FC9B.8040808@redhat.com>
	<501E4615.7060801@profihost.ag> <501E4AFD.3020806@redhat.com>
	<501E96BB.5060702@profihost.ag> <501EC2E2.8010802@profihost.ag>
	<501F8226.9090500@redhat.com> <501F846C.50903@profihost.ag>
	<501FB4A8.6080609@redhat.com>
In-Reply-To: <501FB4A8.6080609@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 209.132.183.28
Cc: Kevin Wolf <kwolf@redhat.com>,
	Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>,
	kvm@vger.kernel.org, mtosatti@redhat.com,
	qemu-devel <qemu-devel@nongnu.org>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [Qemu-devel] KVM segfaults with 3.5 while installing ubuntu
	12.04
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

On 08/06/2012 03:12 PM, Avi Kivity wrote:
> On 08/06/2012 11:46 AM, Stefan Priebe - Profihost AG wrote:
> 
>> But still i got the segfault and core dump - this is my main problem? I
>> mean qemu-kvm master isn't declared as stable. So i don't care about the
>> slowness here.
>> 
>> What can we do about the core dump and crash?
> 
> Okay, I reproduced it; it seems aio=native is the culprit.  You can try
> aio=threads as a workaround.
> 
> Copying some relevant people (context: aio=native on qemu-kvm-1.1.1
> segfaults pretty early during guest install)
> 

The following ought to fix it:


From: Avi Kivity <avi@redhat.com>
Date: Mon, 6 Aug 2012 15:35:02 +0300
Subject: [PATCH] virtio-mlk: fix use-after-free while handling scsi commands

The scsi passthrough handler falls through after completing a
request into the failure path, resulting in a use after free.

Reprducible by running a guest with aio=native on a block device.

Reported-by: Stefan Priebe <s.priebe@profihost.ag>
Signed-off-by: Avi Kivity <avi@redhat.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index f21757e..552b3b6 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -254,6 +254,7 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
 
     virtio_blk_req_complete(req, status);
     g_free(req);
+    return;
 #else
     abort();
 #endif