qemu-e2k/block
Roman Kagan ddde5ee769 block/nbd: only enter connection coroutine if it's present
When an NBD block driver state is moved from one aio_context to another
(e.g. when doing a drain in a migration thread),
nbd_client_attach_aio_context_bh is executed that enters the connection
coroutine.

However, the assumption that ->connection_co is always present here
appears incorrect: the connection may have encountered an error other
than -EIO in the underlying transport, and thus may have decided to quit
rather than keep trying to reconnect, and therefore it may have
terminated the connection coroutine.  As a result an attempt to reassign
the client in this state (NBD_CLIENT_QUIT) to a different aio_context
leads to a null pointer dereference:

  #0  qio_channel_detach_aio_context (ioc=0x0)
      at /build/qemu-gYtjVn/qemu-5.0.1/io/channel.c:452
  #1  0x0000562a242824b3 in bdrv_detach_aio_context (bs=0x562a268d6a00)
      at /build/qemu-gYtjVn/qemu-5.0.1/block.c:6151
  #2  bdrv_set_aio_context_ignore (bs=bs@entry=0x562a268d6a00,
      new_context=new_context@entry=0x562a260c9580,
      ignore=ignore@entry=0x7feeadc9b780)
      at /build/qemu-gYtjVn/qemu-5.0.1/block.c:6230
  #3  0x0000562a24282969 in bdrv_child_try_set_aio_context
      (bs=bs@entry=0x562a268d6a00, ctx=0x562a260c9580,
      ignore_child=<optimized out>, errp=<optimized out>)
      at /build/qemu-gYtjVn/qemu-5.0.1/block.c:6332
  #4  0x0000562a242bb7db in blk_do_set_aio_context (blk=0x562a2735d0d0,
      new_context=0x562a260c9580,
      update_root_node=update_root_node@entry=true, errp=errp@entry=0x0)
      at /build/qemu-gYtjVn/qemu-5.0.1/block/block-backend.c:1989
  #5  0x0000562a242be0bd in blk_set_aio_context (blk=<optimized out>,
      new_context=<optimized out>, errp=errp@entry=0x0)
      at /build/qemu-gYtjVn/qemu-5.0.1/block/block-backend.c:2010
  #6  0x0000562a23fbd953 in virtio_blk_data_plane_stop (vdev=<optimized
      out>)
      at /build/qemu-gYtjVn/qemu-5.0.1/hw/block/dataplane/virtio-blk.c:292
  #7  0x0000562a241fc7bf in virtio_bus_stop_ioeventfd (bus=0x562a260dbf08)
      at /build/qemu-gYtjVn/qemu-5.0.1/hw/virtio/virtio-bus.c:245
  #8  0x0000562a23fefb2e in virtio_vmstate_change (opaque=0x562a260dbf90,
      running=0, state=<optimized out>)
      at /build/qemu-gYtjVn/qemu-5.0.1/hw/virtio/virtio.c:3220
  #9  0x0000562a2402ebfd in vm_state_notify (running=running@entry=0,
      state=state@entry=RUN_STATE_FINISH_MIGRATE)
      at /build/qemu-gYtjVn/qemu-5.0.1/softmmu/vl.c:1275
  #10 0x0000562a23f7bc02 in do_vm_stop (state=RUN_STATE_FINISH_MIGRATE,
      send_stop=<optimized out>)
      at /build/qemu-gYtjVn/qemu-5.0.1/cpus.c:1032
  #11 0x0000562a24209765 in migration_completion (s=0x562a260e83a0)
      at /build/qemu-gYtjVn/qemu-5.0.1/migration/migration.c:2914
  #12 migration_iteration_run (s=0x562a260e83a0)
      at /build/qemu-gYtjVn/qemu-5.0.1/migration/migration.c:3275
  #13 migration_thread (opaque=opaque@entry=0x562a260e83a0)
      at /build/qemu-gYtjVn/qemu-5.0.1/migration/migration.c:3439
  #14 0x0000562a2435ca96 in qemu_thread_start (args=<optimized out>)
      at /build/qemu-gYtjVn/qemu-5.0.1/util/qemu-thread-posix.c:519
  #15 0x00007feed31466ba in start_thread (arg=0x7feeadc9c700)
      at pthread_create.c:333
  #16 0x00007feed2e7c41d in __GI___sysctl (name=0x0, nlen=608471908,
      oldval=0x562a2452b138, oldlenp=0x0, newval=0x562a2452c5e0
      <__func__.28102>, newlen=0)
      at ../sysdeps/unix/sysv/linux/sysctl.c:30
  #17 0x0000000000000000 in ?? ()

Fix it by checking that the connection coroutine is non-null before
trying to enter it.  If it is null, no entering is needed, as the
connection is probably going down anyway.

Signed-off-by: Roman Kagan <rvkagan@yandex-team.ru>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20210129073859.683063-3-rvkagan@yandex-team.ru>
Signed-off-by: Eric Blake <eblake@redhat.com>
2021-02-03 08:17:12 -06:00
..
export qapi: Use QAPI_LIST_APPEND in trivial cases 2021-01-28 08:08:45 +01:00
monitor qapi: block-stream: add "bottom" argument 2021-01-26 14:36:37 +01:00
accounting.c block/accounting: Use lock guard macros 2020-12-11 17:52:39 +01:00
aio_task.c
amend.c
backup-top.c block/block-copy: drop unused argument of block_copy() 2021-01-26 14:36:37 +01:00
backup-top.h qapi: backup: add perf.use-copy-range parameter 2021-01-26 14:36:37 +01:00
backup.c backup: move to block-copy 2021-01-26 14:36:37 +01:00
blkdebug.c block: Fix some code style problems, "foo* bar" should be "foo *bar" 2020-11-09 18:42:47 +01:00
blklogwrites.c
blkreplay.c
blkverify.c block/io: support int64_t bytes in read/write wrappers 2021-02-03 08:17:12 -06:00
block-backend.c block: Separate blk_is_writable() and blk_supports_write_perm() 2021-01-27 20:45:20 +01:00
block-copy.c block/block-copy: drop unused argument of block_copy() 2021-01-26 14:36:37 +01:00
block-gen.h
bochs.c
cloop.c
commit.c
copy-on-read.c copy-on-read: skip non-guest reads if no copy needed 2021-01-26 14:36:37 +01:00
copy-on-read.h copy-on-read: add filter drop function 2021-01-26 11:26:54 +01:00
coroutines.h
create.c
crypto.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
crypto.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
curl.c curl: remove compatibility code, require 7.29.0 2021-01-02 21:03:37 +01:00
dirty-bitmap.c qapi: Use QAPI_LIST_APPEND in trivial cases 2021-01-28 08:08:45 +01:00
dmg-bz2.c
dmg-lzfse.c block: Remove unused include 2020-11-09 15:44:21 +01:00
dmg.c block: Fix some code style problems, "foo* bar" should be "foo *bar" 2020-11-09 18:42:47 +01:00
dmg.h
file-posix.c block: refactor bdrv_check_request: add errp 2021-02-03 08:00:33 -06:00
file-win32.c
filter-compress.c
gluster.c qapi: More complex uses of QAPI_LIST_APPEND 2021-01-28 08:08:45 +01:00
io_uring.c io_uring: do not use pointer after free 2020-11-17 12:26:48 +01:00
io.c block/io: use int64_t bytes in copy_range 2021-02-03 08:17:12 -06:00
iscsi-opts.c
iscsi.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
linux-aio.c
meson.build meson: Propagate gnutls dependency 2021-01-12 12:38:03 +01:00
mirror.c
nbd.c block/nbd: only enter connection coroutine if it's present 2021-02-03 08:17:12 -06:00
nfs.c block/nfs: fix int overflow in nfs_client_open_qdict 2020-12-18 11:48:39 +01:00
null.c
nvme.c block/nvme: Trace NVMe spec version supported by the controller 2021-02-02 17:05:38 +01:00
parallels.c
parallels.h
preallocate.c block: introduce preallocate filter 2020-12-18 12:35:55 +01:00
qapi-sysemu.c
qapi.c block: Fix VM size column width in bdrv_snapshot_dump() 2021-02-02 17:23:55 +01:00
qcow2-bitmap.c qapi: Use QAPI_LIST_APPEND in trivial cases 2021-01-28 08:08:45 +01:00
qcow2-cache.c
qcow2-cluster.c qcow2: Fix corruption on write_zeroes with MAY_UNMAP 2020-11-24 11:29:41 +01:00
qcow2-refcount.c
qcow2-snapshot.c
qcow2-threads.c
qcow2.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
qcow2.h block: Fix some code style problems, "foo* bar" should be "foo *bar" 2020-11-09 18:42:47 +01:00
qcow.c
qed-check.c
qed-cluster.c
qed-l2-cache.c
qed-table.c
qed.c
qed.h
quorum.c quorum: Implement bdrv_co_pwrite_zeroes() 2020-12-18 12:35:55 +01:00
raw-format.c
rbd.c qobject: Change qobject_to_json()'s value to GString 2020-12-19 10:38:43 +01:00
replication.c qapi: backup: add max-chunk and max-workers to x-perf struct 2021-01-26 14:36:37 +01:00
sheepdog.c
snapshot.c
ssh.c
stream.c block: apply COR-filter to block-stream jobs 2021-01-26 14:36:37 +01:00
throttle-groups.c block/throttle-groups: throttle_group_co_io_limits_intercept(): 64bit bytes 2021-02-03 08:14:00 -06:00
throttle.c
trace-events block/io: use int64_t bytes in copy_range 2021-02-03 08:17:12 -06:00
trace.h
vdi.c
vhdx-endian.c
vhdx-log.c
vhdx.c
vhdx.h
vmdk.c qapi: Use QAPI_LIST_APPEND in trivial cases 2021-01-28 08:08:45 +01:00
vpc.c block/vpc: Use sizeof() instead of HEADER_SIZE for footer size 2020-12-18 12:43:30 +01:00
vvfat.c
win32-aio.c
write-threshold.c