QEMU With E2K User Support
Go to file
Fam Zheng 271c0f68b4 aio: Fix use-after-free in cancellation path
The current flow of canceling a thread from THREAD_ACTIVE state is:

  1) Caller wants to cancel a request, so it calls thread_pool_cancel.

  2) thread_pool_cancel waits on the conditional variable
     elem->check_cancel.

  3) The worker thread changes state to THREAD_DONE once the task is
     done, and notifies elem->check_cancel to allow thread_pool_cancel
     to continue execution, and signals the notifier (pool->notifier) to
     allow callback function to be called later. But because of the
     global mutex, the notifier won't get processed until step 4) and 5)
     are done.

  4) thread_pool_cancel continues, leaving the notifier signaled, it
     just returns to caller.

  5) Caller thinks the request is already canceled successfully, so it
     releases any related data, such as freeing elem->common.opaque.

  6) In the next main loop iteration, the notifier handler,
     event_notifier_ready, is called. It finds the canceled thread in
     THREAD_DONE state, so calls elem->common.cb, with an (likely)
     dangling opaque pointer. This is a use-after-free.

Fix it by calling event_notifier_ready before leaving
thread_pool_cancel.

Test case update: This change will let cancel complete earlier than
test-thread-pool.c expects, so update the code to check this case: if
it's already done, done_cb sets .aiocb to NULL, skip calling
bdrv_aio_cancel on them.

Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-05-28 14:28:46 +02:00
audio audio: replace fprintf(stderr, ...) with error_report() in audio 2014-05-26 10:41:21 +04:00
backends build: convert some obj-specific CFLAGS to use new foo.o-cflags syntax 2014-05-08 15:27:49 +02:00
block qcow2: Fix memory leak in COW error path 2014-05-28 14:28:46 +02:00
bsd-user bsd-user: replace fprintf(stderr, ...) with error_report() 2014-05-26 10:41:22 +04:00
default-configs s390x: split flic into kvm and non-kvm parts 2014-05-20 13:05:57 +02:00
disas disas/libvixl: Update to libvixl 1.4 2014-05-13 16:09:35 +01:00
docs docs: add multiseat.txt 2014-05-26 08:42:43 +02:00
dtc@bc895d6d09
fpu softfloat: Introduce float32_to_uint64_round_to_zero 2014-04-08 11:20:00 +02:00
fsdev virtfs-proxy-helper: fix call to accept 2014-04-28 08:55:32 +04:00
gdb-xml
hw input: add event routing and multiseat support. 2014-05-28 10:33:05 +01:00
include input: add event routing and multiseat support. 2014-05-28 10:33:05 +01:00
libcacard libcacard: remove useless initializers 2014-05-26 10:41:22 +04:00
linux-headers linux-headers: update 2014-05-20 13:05:58 +02:00
linux-user target-i386: the x86 CPL is stored in CS.selector - auto update hflags accordingly. 2014-05-13 13:12:40 +02:00
net monitor: Add set_link arguments completion. 2014-05-15 15:16:02 -04:00
pc-bios ipxe: update to current git 2014-05-15 14:24:05 +02:00
pixman@97336fad32
po po: add proper Language: tags to .po files 2014-04-28 08:55:32 +04:00
qapi qapi: Replace uncommon use of the error API by the common one 2014-05-15 14:00:46 -04:00
qga qga: Drop superfluous error_is_set() 2014-05-09 09:11:31 -04:00
qobject qdict: Add qdict_join() 2014-05-19 11:36:48 +02:00
qom qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
roms ipxe: update to current git 2014-05-15 14:24:05 +02:00
scripts qapi: zero-initialize all QMP command parameters 2014-05-21 09:25:31 -04:00
slirp slirp: Remove default_mon usage 2014-04-25 09:19:58 -04:00
stubs qerror.h: Replace QERR_NOT_SUPPORTED with QERR_UNSUPPORTED 2014-04-25 09:19:59 -04:00
sysconfigs/target
target-alpha savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
target-arm target-arm: Fix segfault on startup when KVM enabled 2014-05-27 13:55:39 +01:00
target-cris cputlb: Change tlb_set_page() argument to CPUState 2014-03-13 19:52:47 +01:00
target-i386 Merge remote-tracking branch 'remotes/kvm/uq/master' into staging 2014-05-15 15:38:40 +01:00
target-lm32 lm32: remove lm32_sys 2014-05-24 19:43:52 +02:00
target-m68k cputlb: Change tlb_set_page() argument to CPUState 2014-03-13 19:52:47 +01:00
target-microblaze microblaze: Respect the reset vector 2014-05-13 09:12:40 +10:00
target-mips target-mips: Avoid shifting left into sign bit 2014-03-27 19:22:49 +04:00
target-moxie savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
target-openrisc savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
target-ppc cpu: make CPU_INTERRUPT_RESET available on all targets 2014-05-13 13:21:51 +02:00
target-s390x s390x/kvm: hw debugging support via guest PER facility 2014-05-20 13:05:58 +02:00
target-sh4 cputlb: Change tlb_set_page() argument to CPUState 2014-03-13 19:52:47 +01:00
target-sparc target-sparc: fix 32bit integer division overflow 2014-03-26 23:40:40 +00:00
target-unicore32 cputlb: Change tlb_set_page() argument to CPUState 2014-03-13 19:52:47 +01:00
target-xtensa cputlb: Change tlb_set_page() argument to CPUState 2014-03-13 19:52:47 +01:00
tcg Merge remote-tracking branch 'remotes/rth/tcg-mips' into staging 2014-05-27 18:31:02 +01:00
tests aio: Fix use-after-free in cancellation path 2014-05-28 14:28:46 +02:00
trace trace: [tracetool] Minimize the amount of per-backend code 2014-05-07 19:07:18 +02:00
ui sdl: pass key event source to input layer 2014-05-26 08:42:43 +02:00
util purge error_is_set() 2014-05-22 18:14:01 +01:00
.exrc
.gitignore configure: Put tempfiles in a subdir of the build directory 2014-05-24 00:34:38 +04:00
.gitmodules Add OpenHack'Ware submodule 2014-03-12 17:26:32 +01:00
.mailmap
.travis.yml .travis.yml: add IRC notifications for build failures 2014-03-15 13:54:18 +04:00
aio-posix.c
aio-win32.c
arch_init.c arch_init: replace fprintf(stderr, ...) with error_report() 2014-05-24 00:10:42 +04:00
async.c aio: add aio_context_acquire() and aio_context_release() 2014-03-13 14:42:24 +01:00
balloon.c
block-migration.c block: Handle error of bdrv_getlength in bdrv_create_dirty_bitmap 2014-04-22 11:57:02 +02:00
block.c block: optimize zero writes with bdrv_write_zeroes 2014-05-19 13:42:27 +02:00
blockdev-nbd.c nbd: Close socket on negotiation failure. 2014-05-24 00:07:29 +04:00
blockdev.c block: optimize zero writes with bdrv_write_zeroes 2014-05-19 13:42:27 +02:00
blockjob.c qerror.h: Replace QERR_NOT_SUPPORTED with QERR_UNSUPPORTED 2014-04-25 09:19:59 -04:00
bt-host.c
bt-vhci.c
Changelog
CODING_STYLE CODING_STYLE: Section about mixed declarations 2014-03-27 19:22:49 +04:00
configure trivial patches for 2014-05-26 2014-05-27 22:45:03 +01:00
COPYING
COPYING.LIB
coroutine-gthread.c do not call g_thread_init() for glib >= 2.31 2014-05-07 21:00:43 +04:00
coroutine-sigaltstack.c
coroutine-ucontext.c
coroutine-win32.c
cpu-exec.c cpu: make CPU_INTERRUPT_RESET available on all targets 2014-05-13 13:21:51 +02:00
cpus.c savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
cputlb.c cputlb: Change tlb_set_page() argument to CPUState 2014-03-13 19:52:47 +01:00
device_tree.c
device-hotplug.c machine: Remove QEMUMachine indirection from MachineClass 2014-05-05 19:08:49 +02:00
disas.c
dma-helpers.c dma-helpers: avoid calling dma_bdrv_unmap() twice 2014-05-24 00:28:43 +04:00
dump.c dump: Drop pointless error_is_set(), DumpState member errp 2014-05-09 09:11:32 -04:00
exec.c savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
gdbstub.c exec: Change cpu_breakpoint_{insert,remove{,_by_ref,_all}} argument 2014-03-13 19:20:48 +01:00
HACKING
hmp-commands.hx monitor: Add netdev_del id argument completion. 2014-05-15 15:16:02 -04:00
hmp.c Block patches 2014-05-20 11:57:52 +01:00
hmp.h monitor: Add netdev_del id argument completion. 2014-05-15 15:16:02 -04:00
iohandler.c iohandler.c: Properly initialize sigaction struct 2014-05-24 00:07:29 +04:00
ioport.c
iothread.c iothread: make IOThread struct definition public 2014-04-04 20:48:02 +02:00
kvm-all.c s390x/virtio-ccw: wire up irq routing and irqfds 2014-05-20 13:05:58 +02:00
kvm-stub.c s390x/virtio-ccw: wire up irq routing and irqfds 2014-05-20 13:05:58 +02:00
LICENSE
main-loop.c main-loop: Suppress "I/O thread spun" warnings for qtest 2014-03-13 21:36:50 +01:00
MAINTAINERS Merge remote-tracking branch 'remotes/bonzini/scsi-next' into staging 2014-05-19 12:30:06 +01:00
Makefile Merge remote-tracking branch 'remotes/bonzini/configure' into staging 2014-05-13 11:30:07 +01:00
Makefile.objs libcacard: remove libcacard-specific CFLAGS and LIBS from global vars 2014-05-09 22:59:40 +02:00
Makefile.target Makefile.target: use $(INSTALL_PROG) for installing, not $(INSTALL) 2014-05-08 15:09:04 +02:00
memory_mapping.c
memory.c memory_region_present: return false if address is not found in child MemoryRegion 2014-03-09 21:09:37 +02:00
migration-exec.c
migration-fd.c
migration-rdma.c
migration-tcp.c Coverity: Fix failure path for qemu_accept in migration 2014-05-05 22:15:03 +02:00
migration-unix.c Coverity: Fix failure path for qemu_accept in migration 2014-05-05 22:15:03 +02:00
migration.c migration: show average throughput when migration finishes 2014-05-14 15:24:52 +02:00
module-common.c
monitor.c monitor: Add netdev_del id argument completion. 2014-05-15 15:16:02 -04:00
nbd.c nbd: Miscellaneous typo fixes. 2014-05-24 00:07:29 +04:00
os-posix.c oslib-posix: Fix build on FreeBSD 2014-03-13 14:34:16 +00:00
os-win32.c
page_cache.c
qapi-schema.json Merge remote-tracking branch 'remotes/qmp-unstable/queue/qmp' into staging 2014-05-22 19:04:49 +01:00
qdev-monitor.c qdev: Fix crash by validating the object type 2014-05-05 19:08:49 +02:00
qdict-test-data.txt
qemu-bridge-helper.c
qemu-char.c char: Explain qmp_chardev_add()'s unusual error handling 2014-05-21 11:57:58 +02:00
qemu-coroutine-io.c
qemu-coroutine-lock.c
qemu-coroutine-sleep.c
qemu-coroutine.c
qemu-doc.texi doc: grammify "allows to" 2014-04-18 10:33:36 +04:00
qemu-file.c Make qemu_peek_buffer loop until it gets it's data 2014-05-05 22:15:03 +02:00
qemu-img-cmds.hx
qemu-img.c Remove g_sequence_lookup from qemu-img help function 2014-05-19 11:36:48 +02:00
qemu-img.texi
qemu-io-cmds.c qemu-io-cmds: Fixed typo in example for writev. 2014-03-19 09:39:41 +01:00
qemu-io.c block: Add errp to bdrv_new() 2014-04-22 12:00:20 +02:00
qemu-log.c
qemu-nbd.c nbd: Miscellaneous typo fixes. 2014-05-24 00:07:29 +04:00
qemu-nbd.texi nbd: Miscellaneous typo fixes. 2014-05-24 00:07:29 +04:00
qemu-options-wrapper.h
qemu-options.h
qemu-options.hx target-lm32: add semihosting support 2014-05-24 19:42:29 +02:00
qemu-seccomp.c seccomp: add shmctl(), mlock(), and munlock() to the syscall whitelist 2014-04-25 14:52:03 -03:00
qemu-tech.texi
qemu-timer.c vl.c: remove init_clocks call from main 2014-05-09 20:57:32 +02:00
qemu.nsi
qemu.sasl sasl: Avoid 'Could not find keytab file' in syslog 2014-03-15 13:54:18 +04:00
qmp-commands.hx Merge remote-tracking branch 'remotes/qmp-unstable/queue/qmp' into staging 2014-05-22 19:04:49 +01:00
qmp.c qmp: Don't use error_is_set() to suppress additional errors 2014-05-09 09:11:32 -04:00
qtest.c machine: Replace QEMUMachine by MachineClass in accelerator configuration 2014-05-05 19:08:49 +02:00
README
rules.mak build: simplify and fix fix-obj-vars 2014-05-09 22:59:40 +02:00
savevm.c qerror.h: Remove QERR defines that are only used once 2014-04-25 09:19:59 -04:00
spice-qemu-char.c
tcg-runtime.c
tci.c tci: Mask shift counts to avoid undefined behavior 2014-04-18 16:57:36 -07:00
thread-pool.c aio: Fix use-after-free in cancellation path 2014-05-28 14:28:46 +02:00
thunk.c
tpm.c
trace-events input: add event routing and multiseat support. 2014-05-28 10:33:05 +01:00
translate-all.c tcg-mips: Constrain the code_gen_buffer to be within one 256mb segment 2014-05-24 08:45:00 -07:00
translate-all.h translate-all: Change tb_check_watchpoint() argument to CPUState 2014-03-13 19:20:48 +01:00
user-exec.c tcg-aarch64: Properly detect SIGSEGV writes 2014-04-16 12:12:32 -04:00
VERSION Open 2.1 development tree 2014-04-17 20:39:32 +01:00
version.rc
vl.c vl: fix 'name' option to work with -readconfig 2014-05-24 00:44:12 +04:00
vmstate.c savevm: Ignore minimum_version_id_old if there is no load_state_old 2014-05-05 22:15:03 +02:00
xbzrle.c xbzrle.c: Avoid undefined behaviour with signed arithmetic 2014-04-18 10:33:36 +04:00
xen-common-stub.c xen: factor out common functions 2014-05-07 16:16:43 +00:00
xen-common.c xen: factor out common functions 2014-05-07 16:16:43 +00:00
xen-hvm-stub.c xen: factor out common functions 2014-05-07 16:16:43 +00:00
xen-hvm.c pass an inclusive address range to xc_domain_pin_memory_cacheattr 2014-05-07 16:17:57 +00:00
xen-mapcache.c

Read the documentation in qemu-doc.html or on http://wiki.qemu-project.org

- QEMU team