e74c0f316d
CVE-2017-7539: qemu-nbd crashes due to undefined I/O coroutine CVE-2017-11434: slirp: out-of-bounds read while parsing dhcp options CVE-2017-11334: exec: oob access during dma operation CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort CVE-2017-9524: nbd: segmentation fault due to client non-negotiation CVE-2017-9503: scsi: null pointer dereference while processing megasas command
72 lines
2.5 KiB
Diff
72 lines
2.5 KiB
Diff
From 28a204390093e5dfa0b4a2e94c06e807fe777c5f Mon Sep 17 00:00:00 2001
|
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Date: Mon, 8 May 2017 14:07:05 -0400
|
|
Subject: [PATCH 06/23] aio: add missing aio_notify() to aio_enable_external()
|
|
|
|
The main loop uses aio_disable_external()/aio_enable_external() to
|
|
temporarily disable processing of external AioContext clients like
|
|
device emulation.
|
|
|
|
This allows monitor commands to quiesce I/O and prevent the guest from
|
|
submitting new requests while a monitor command is in progress.
|
|
|
|
The aio_enable_external() API is currently broken when an IOThread is in
|
|
aio_poll() waiting for fd activity when the main loop re-enables
|
|
external clients. Incrementing ctx->external_disable_cnt does not wake
|
|
the IOThread from ppoll(2) so fd processing remains suspended and leads
|
|
to unresponsive emulated devices.
|
|
|
|
This patch adds an aio_notify() call to aio_enable_external() so the
|
|
IOThread is kicked out of ppoll(2) and will re-arm the file descriptors.
|
|
|
|
The bug can be reproduced as follows:
|
|
|
|
$ qemu -M accel=kvm -m 1024 \
|
|
-object iothread,id=iothread0 \
|
|
-device virtio-scsi-pci,iothread=iothread0,id=virtio-scsi-pci0 \
|
|
-drive if=none,id=drive0,aio=native,cache=none,format=raw,file=test.img \
|
|
-device scsi-hd,id=scsi-hd0,drive=drive0 \
|
|
-qmp tcp::5555,server,nowait
|
|
|
|
$ scripts/qmp/qmp-shell localhost:5555
|
|
(qemu) blockdev-snapshot-sync device=drive0 snapshot-file=sn1.qcow2
|
|
mode=absolute-paths format=qcow2
|
|
|
|
After blockdev-snapshot-sync completes the SCSI disk will be
|
|
unresponsive. This leads to request timeouts inside the guest.
|
|
|
|
Reported-by: Qianqian Zhu <qizhu@redhat.com>
|
|
Reviewed-by: Fam Zheng <famz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Message-id: 20170508180705.20609-1-stefanha@redhat.com
|
|
Suggested-by: Fam Zheng <famz@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
---
|
|
include/block/aio.h | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/include/block/aio.h b/include/block/aio.h
|
|
index 406e32305a..e9aeeaec94 100644
|
|
--- a/include/block/aio.h
|
|
+++ b/include/block/aio.h
|
|
@@ -454,8 +454,14 @@ static inline void aio_disable_external(AioContext *ctx)
|
|
*/
|
|
static inline void aio_enable_external(AioContext *ctx)
|
|
{
|
|
- assert(ctx->external_disable_cnt > 0);
|
|
- atomic_dec(&ctx->external_disable_cnt);
|
|
+ int old;
|
|
+
|
|
+ old = atomic_fetch_dec(&ctx->external_disable_cnt);
|
|
+ assert(old > 0);
|
|
+ if (old == 1) {
|
|
+ /* Kick event loop so it re-arms file descriptors */
|
|
+ aio_notify(ctx);
|
|
+ }
|
|
}
|
|
|
|
/**
|
|
--
|
|
2.11.0
|
|
|