diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2023-02-21 16:22:17 -0500 |
|---|---|---|
| committer | Kevin Wolf <kwolf@redhat.com> | 2023-02-23 19:49:35 +0100 |
| commit | abfcd2760b3e70727bbc0792221b8b98a733dc32 (patch) | |
| tree | 29cfea4f465984e135acbc4629dde02f959ada61 /include/standard-headers/linux/input-event-codes.h | |
| parent | 7b7fc3d0102dafe8eb44802493036a526e921a71 (diff) | |
| download | focaccia-qemu-abfcd2760b3e70727bbc0792221b8b98a733dc32.tar.gz focaccia-qemu-abfcd2760b3e70727bbc0792221b8b98a733dc32.zip | |
dma-helpers: prevent dma_blk_cb() vs dma_aio_cancel() race
dma_blk_cb() only takes the AioContext lock around ->io_func(). That means the rest of dma_blk_cb() is not protected. In particular, the DMAAIOCB field accesses happen outside the lock. There is a race when the main loop thread holds the AioContext lock and invokes scsi_device_purge_requests() -> bdrv_aio_cancel() -> dma_aio_cancel() while an IOThread executes dma_blk_cb(). The dbs->acb field determines how cancellation proceeds. If dma_aio_cancel() sees dbs->acb == NULL while dma_blk_cb() is still running, the request can be completed twice (-ECANCELED and the actual return value). The following assertion can occur with virtio-scsi when an IOThread is used: ../hw/scsi/scsi-disk.c:368: scsi_dma_complete: Assertion `r->req.aiocb != NULL' failed. Fix the race by holding the AioContext across dma_blk_cb(). Now dma_aio_cancel() under the AioContext lock will not see inconsistent/intermediate states. Cc: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20230221212218.1378734-3-stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'include/standard-headers/linux/input-event-codes.h')
0 files changed, 0 insertions, 0 deletions