From patchwork Thu Dec 1 16:50:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klaus Jensen X-Patchwork-Id: 13061572 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CAA3BC43217 for ; Thu, 1 Dec 2022 16:51:44 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p0mlj-00008L-Rh; Thu, 01 Dec 2022 11:50:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mle-000050-Eb; Thu, 01 Dec 2022 11:50:34 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlc-00010r-C1; Thu, 01 Dec 2022 11:50:34 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 67B8D5C0196; Thu, 1 Dec 2022 11:50:31 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Thu, 01 Dec 2022 11:50:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1669913431; x= 1669999831; bh=7CgD1ROYjnt50Y1SYrZ71snDk8kbGY2eFrwxVc383X4=; b=j zEibpbxCK8ETlLf2BdfdsMniAnQKladxwg1hZVvvhO8WdQldTlhuGw36Ui1Kb9Io 2Y47UInpQYz+iYroAm0UFJO5diiJsQtqaHdF29CzUoNbHPLhOfzRF5CTjzNVx0vM d6ky3uXC36pZiWeyCqIs5DtKNeLmQ1WCXZMRU256VU51gESFQCmneFsgk1Eesfbm OJz9HGsRMtJltoz5T1bfg+HUPjTNbd8N+cskAjD4Drlk6m6B/m8DWd2KMPWxZgFN xxCOa9JMWD+N2GAXK+i10TkaXvTfuiqA5g5pAneM/yRZS6oqtPhq1Wf1vCAmM66Y iNztcpnPFEHDnzSvH/CHg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669913431; x=1669999831; bh=7CgD1ROYjnt50 Y1SYrZ71snDk8kbGY2eFrwxVc383X4=; b=O/6eP9skoG0yvo6ZkaW+vFJiMzFEs BaO48Uakl2P5d2tWJGku/xvWO2GO09BN1P71UaP3hm9rsXFziBr7F8MgNGVCJnSI oAETvl8ZB9bJYsOoC+oTm7KX7wu58NtksBiiHmAGVx+Sn9ROgXsgGpdpBstNNUmo J83esfjuPeXrgrc/AJRiYxJrohFK5jGswby7wZ6TEyVHqI1BRAdHwzbi1SkMIhwl qV8lUT8ggpiED33oMYVz5Jsf13WQw3Whlf0I0b6p8qPqAhZl5C48ZI66qz28QMcz Jw2gfEkczaU86LH8VoqK76XntGn+AUOqM2TmWLMyIQ5Yl0TI1XRUCX9hQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdelgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Dec 2022 11:50:29 -0500 (EST) From: Klaus Jensen To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Keith Busch , Klaus Jensen , Klaus Jensen , Jonathan Derrick Subject: [PULL for-7.2 1/5] hw/nvme: fix aio cancel in format Date: Thu, 1 Dec 2022 17:50:20 +0100 Message-Id: <20221201165024.51018-2-its@irrelevant.dk> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221201165024.51018-1-its@irrelevant.dk> References: <20221201165024.51018-1-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3896; i=k.jensen@samsung.com; h=from:subject; bh=xDv6JgPX2pJUd/Z1/825ymV6rZNZamjT491djcIWwOo=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGOI21DKWp8TT/yntJaHHyUdAlqCDQ4ShEstFyt+ 7yfPwJpWIYkBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjiNtQAAoJEE3hrzFtTw3pxM kIAKrA2l6zvFdE+l5FaeAcKNYYYreMUTTH9I77jtK4io0FMZb5smC/DSiJg9i5+yPRLC6Tg+ZKN+UL b6TH4S0C6KRMUQsKnAzT43ChZQCnBGRkXBwBYbZM565z4TphU83eiL/+r5aWNyjiyYGcWIA2hkrAPh +jw2GOPDw3uKpZTuiEw46xtHUrkDPvqW+D7rB31ZURtgiO7UKUd5HPJEldFaCNJvrRsohfQJFnIngY yK0ath/7dj8BxzgFsSM1aJPl5EXpFdk0FjJrAeRzpcwvFkcC5bqKRf1NtUOhKgyb47AR165ZSjgx2d JGvbDQt4Ju6juizlh6qqHcKmRK5GxztM3qHab7 X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Received-SPF: pass client-ip=66.111.4.27; envelope-from=its@irrelevant.dk; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Klaus Jensen There are several bugs in the async cancel code for the Format command. Firstly, cancelling a format operation neglects to set iocb->ret as well as clearing the iocb->aiocb after cancelling the underlying aiocb which causes the aio callback to ignore the cancellation. Trivial fix. Secondly, and worse, because the request is queued up for posting to the CQ in a bottom half, if the cancellation is due to the submission queue being deleted (which calls blk_aio_cancel), the req structure is deallocated in nvme_del_sq prior to the bottom half being schedulued. Fix this by simply removing the bottom half, there is no reason to defer it anyway. Fixes: 3bcf26d3d619 ("hw/nvme: reimplement format nvm to allow cancellation") Reported-by: Jonathan Derrick Reviewed-by: Keith Busch Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index ac3885ce5079..9bc56075f66f 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -5741,7 +5741,6 @@ static uint16_t nvme_ns_attachment(NvmeCtrl *n, NvmeRequest *req) typedef struct NvmeFormatAIOCB { BlockAIOCB common; BlockAIOCB *aiocb; - QEMUBH *bh; NvmeRequest *req; int ret; @@ -5756,14 +5755,15 @@ typedef struct NvmeFormatAIOCB { uint8_t pil; } NvmeFormatAIOCB; -static void nvme_format_bh(void *opaque); - static void nvme_format_cancel(BlockAIOCB *aiocb) { NvmeFormatAIOCB *iocb = container_of(aiocb, NvmeFormatAIOCB, common); + iocb->ret = -ECANCELED; + if (iocb->aiocb) { blk_aio_cancel_async(iocb->aiocb); + iocb->aiocb = NULL; } } @@ -5787,13 +5787,17 @@ static void nvme_format_set(NvmeNamespace *ns, uint8_t lbaf, uint8_t mset, nvme_ns_init_format(ns); } +static void nvme_do_format(NvmeFormatAIOCB *iocb); + static void nvme_format_ns_cb(void *opaque, int ret) { NvmeFormatAIOCB *iocb = opaque; NvmeNamespace *ns = iocb->ns; int bytes; - if (ret < 0) { + if (iocb->ret < 0) { + goto done; + } else if (ret < 0) { iocb->ret = ret; goto done; } @@ -5817,8 +5821,7 @@ static void nvme_format_ns_cb(void *opaque, int ret) iocb->offset = 0; done: - iocb->aiocb = NULL; - qemu_bh_schedule(iocb->bh); + nvme_do_format(iocb); } static uint16_t nvme_format_check(NvmeNamespace *ns, uint8_t lbaf, uint8_t pi) @@ -5842,9 +5845,8 @@ static uint16_t nvme_format_check(NvmeNamespace *ns, uint8_t lbaf, uint8_t pi) return NVME_SUCCESS; } -static void nvme_format_bh(void *opaque) +static void nvme_do_format(NvmeFormatAIOCB *iocb) { - NvmeFormatAIOCB *iocb = opaque; NvmeRequest *req = iocb->req; NvmeCtrl *n = nvme_ctrl(req); uint32_t dw10 = le32_to_cpu(req->cmd.cdw10); @@ -5882,11 +5884,7 @@ static void nvme_format_bh(void *opaque) return; done: - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; - iocb->common.cb(iocb->common.opaque, iocb->ret); - qemu_aio_unref(iocb); } @@ -5905,7 +5903,6 @@ static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest *req) iocb = qemu_aio_get(&nvme_format_aiocb_info, NULL, nvme_misc_cb, req); iocb->req = req; - iocb->bh = qemu_bh_new(nvme_format_bh, iocb); iocb->ret = 0; iocb->ns = NULL; iocb->nsid = 0; @@ -5934,14 +5931,13 @@ static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest *req) } req->aiocb = &iocb->common; - qemu_bh_schedule(iocb->bh); + nvme_do_format(iocb); return NVME_NO_COMPLETE; out: - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; qemu_aio_unref(iocb); + return status; } From patchwork Thu Dec 1 16:50:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klaus Jensen X-Patchwork-Id: 13061579 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 667F8C43217 for ; Thu, 1 Dec 2022 16:52:55 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p0mlt-0000Ge-7c; Thu, 01 Dec 2022 11:50:49 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlr-0000Fk-Ia; Thu, 01 Dec 2022 11:50:47 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mle-000115-0T; Thu, 01 Dec 2022 11:50:36 -0500 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 169E05C019E; Thu, 1 Dec 2022 11:50:33 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 01 Dec 2022 11:50:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1669913433; x= 1669999833; bh=TqrX8aYaYyYeBNnOyObLeoI2PBPSkqeBYdmIchkhRz8=; b=m fpWeiKfjkNWyFeRlEQLIGBAStoxiUUraTlxg3hnGdcoIYNO7cyDtHFu0vu0no9Vs 4yFnyuONegm23wGLoCUlRmOMbXIQjEVWrK8cVetlsO/FAMr88VwiyUIAtS5w6PWx /KcvWbdx4MaclOA5ZJDyK9VUBCxIIGqje71EZWEukNAuXWfIoz68Q98GFT6RaDJp tJ1c3TheqYv54EnMJp4Tqymj1QpPAYpJ60fo5fzBTz6sPg8SS1wVhtMUl0R9gaR7 VzdR7trN3HHtC/q2FdUNYU4Iu3SGDaswfEHtbpPSx0Gxj1qPZR1RYakiCEFc4tNz GBo9PfNeBzsq2rZ8XngUQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669913433; x=1669999833; bh=TqrX8aYaYyYeB NnOyObLeoI2PBPSkqeBYdmIchkhRz8=; b=OkW+eb2yIJf7pQNgaf7yHaWEorp2f KCXaC/YIzAHgS8nDHUBIGE6wThIjAHtxjU+uOWcF8LLTjK6/pgcTErsiuIcOWVfy Jv7mJcMZI0KVqWy49WYn2EM64mZZUrf3KBUATR+6MKczAwPPgYe9TqwKUxKzGG4M /Ft8RqTt5SpB8qW+1APhTrGhdBJvvBM6Cj8+qKITYltisd0S+PcACYrIFa7GbCI2 /69e9F9rGwn180uQBB0j2p1Vb2cmWjQNZhilCoDi25nugKVdC9T8rUb1IR5QTjKt 6YdCdJYRJJLAs4saROWxU68LByvnNcq9E/4/J7F5070AGfz2r+rrHWPZQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdelgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Dec 2022 11:50:31 -0500 (EST) From: Klaus Jensen To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Keith Busch , Klaus Jensen , Klaus Jensen Subject: [PULL for-7.2 2/5] hw/nvme: fix aio cancel in flush Date: Thu, 1 Dec 2022 17:50:21 +0100 Message-Id: <20221201165024.51018-3-its@irrelevant.dk> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221201165024.51018-1-its@irrelevant.dk> References: <20221201165024.51018-1-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2596; i=k.jensen@samsung.com; h=from:subject; bh=avzERG+brYvQDBEX92TIH/6WWgSMh4xCDUsNn3ctL5s=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGOI21DNKVJak2gKX0NBx96V7ndXQRqgIBP6hYi5 Z5uwXRLC9IkBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjiNtQAAoJEE3hrzFtTw3ptT QIAILh/B+hQHNLimn3xKSWANIh6peKgUWui8sWXB+sovWdHBBRNCaoiBapwpnVhEJSxGDHXujBYn3r WGCAVDA5jBAmF6+dQROwoXTurC8oQMoKieoHYN4I5xXyYmpEOoPYAUy/FcY8mrjxKK/dijEHLPVYmb pg6F/aIr/f/1LeuiSzMMe64uQdZAlUbFdquZguC2bxQvrbmXPOGsYikLM6ppwza5PK3w+O8NP18MlG pM+ilJ98HfDonKilYBDu+KPuigtQFtUa1ZqEBleYupYAqGIYbOsG6hkZuc8dOPs7XWoGpFQyGOiL+1 AQ2qCKnqOYjXUgbLMIWPBVtwWCeAxM2lGnbqkg X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Received-SPF: pass client-ip=66.111.4.27; envelope-from=its@irrelevant.dk; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Klaus Jensen Make sure that iocb->aiocb is NULL'ed when cancelling. Fix a potential use-after-free by removing the bottom half and enqueuing the completion directly. Fixes: 38f4ac65ac88 ("hw/nvme: reimplement flush to allow cancellation") Reviewed-by: Keith Busch Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 9bc56075f66f..fede5af6afd0 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -3160,7 +3160,6 @@ typedef struct NvmeFlushAIOCB { BlockAIOCB common; BlockAIOCB *aiocb; NvmeRequest *req; - QEMUBH *bh; int ret; NvmeNamespace *ns; @@ -3176,6 +3175,7 @@ static void nvme_flush_cancel(BlockAIOCB *acb) if (iocb->aiocb) { blk_aio_cancel_async(iocb->aiocb); + iocb->aiocb = NULL; } } @@ -3185,6 +3185,8 @@ static const AIOCBInfo nvme_flush_aiocb_info = { .get_aio_context = nvme_get_aio_context, }; +static void nvme_do_flush(NvmeFlushAIOCB *iocb); + static void nvme_flush_ns_cb(void *opaque, int ret) { NvmeFlushAIOCB *iocb = opaque; @@ -3206,13 +3208,11 @@ static void nvme_flush_ns_cb(void *opaque, int ret) } out: - iocb->aiocb = NULL; - qemu_bh_schedule(iocb->bh); + nvme_do_flush(iocb); } -static void nvme_flush_bh(void *opaque) +static void nvme_do_flush(NvmeFlushAIOCB *iocb) { - NvmeFlushAIOCB *iocb = opaque; NvmeRequest *req = iocb->req; NvmeCtrl *n = nvme_ctrl(req); int i; @@ -3239,14 +3239,8 @@ static void nvme_flush_bh(void *opaque) return; done: - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; - iocb->common.cb(iocb->common.opaque, iocb->ret); - qemu_aio_unref(iocb); - - return; } static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *req) @@ -3258,7 +3252,6 @@ static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *req) iocb = qemu_aio_get(&nvme_flush_aiocb_info, NULL, nvme_misc_cb, req); iocb->req = req; - iocb->bh = qemu_bh_new(nvme_flush_bh, iocb); iocb->ret = 0; iocb->ns = NULL; iocb->nsid = 0; @@ -3280,13 +3273,11 @@ static uint16_t nvme_flush(NvmeCtrl *n, NvmeRequest *req) } req->aiocb = &iocb->common; - qemu_bh_schedule(iocb->bh); + nvme_do_flush(iocb); return NVME_NO_COMPLETE; out: - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; qemu_aio_unref(iocb); return status; From patchwork Thu Dec 1 16:50:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klaus Jensen X-Patchwork-Id: 13061578 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 73D3AC43217 for ; Thu, 1 Dec 2022 16:52:39 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p0mlx-0000LE-LY; Thu, 01 Dec 2022 11:50:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlv-0000Hk-DA; Thu, 01 Dec 2022 11:50:51 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlr-00011N-J2; Thu, 01 Dec 2022 11:50:51 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9C8925C00ED; Thu, 1 Dec 2022 11:50:34 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 01 Dec 2022 11:50:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1669913434; x= 1669999834; bh=aBsAVc1/hgYoS+bVs7/fs4McPqJCjBQnvGS+rGu+Sgk=; b=o QGj3QfNJVGRiXeznDsn8NvZIRfC5ICZMPku+NR45Y8kioD9MXshdJfEAITArf8e3 CVfDD/0/GJcPTAPNQu7YoppAy/dFOTscisKMb6JBQXfblNwF4vzF6aHbZOGoPVTo bxSK6E6ZR6PteoY8Ao0WWXpi1zt8HbDBf47JyfApnbDNp71vAwsf0+PQpE0sJh8/ H07chvKtoXlgsEZskWOvpWU94fXELDD/JtNmty1xLIaw+JrBVb0RbHap6YpZIqrV FX26UuvEpOCRIxomogm+Gd+AFmFUAdLxzc8wC9WRW7mACO3b7YKgTHYThYjq4V3O totdHsDWqCsxE803PqtuA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669913434; x=1669999834; bh=aBsAVc1/hgYoS +bVs7/fs4McPqJCjBQnvGS+rGu+Sgk=; b=prO6yo9yhql+He4fhCsgUzUaSW/tc Z5a7+VOEXCcl1k80qck61MtmjuniD8FtyCAtvvUd78Ui+VUuLqkgcXm0yMJhNEbF oP1n6uhTN77K3ULooRQLQyMG/o/nJm7aoGiOG79mzEp4foF8pIIsC5PuaSEC6B6r RdRLlps/XrjPzKrNRFoVkZNKHDQ2wo2rxKb3zit5zyCAMeg4ubZUkZv7Q6yvb8ZK ilVsKPK1kkfr9fXadrxptNsud8RXEhCXsZoA0zSvvWeIDxvJ8+sRcIyTRPEUZSAQ AcCq8kfD4hsBIdfZul4M5lU2P6Hy3pDnI3B+CIp1q+g6FOQfK/0/trq4w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdelfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Dec 2022 11:50:33 -0500 (EST) From: Klaus Jensen To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Keith Busch , Klaus Jensen , Klaus Jensen Subject: [PULL for-7.2 3/5] hw/nvme: fix aio cancel in zone reset Date: Thu, 1 Dec 2022 17:50:22 +0100 Message-Id: <20221201165024.51018-4-its@irrelevant.dk> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221201165024.51018-1-its@irrelevant.dk> References: <20221201165024.51018-1-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3276; i=k.jensen@samsung.com; h=from:subject; bh=j5bs7aBpIoAuFdyTRJ7E5AynZMWe6a8pnc+NNpwHg64=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGOI21BG5RWpZ8GiXSBWupcbBMAHZ7MljYU1xH2M kPtBmFUAEokBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjiNtQAAoJEE3hrzFtTw3pJp cIAJkJvhlphpX74JJyy6a2ZZu7Gl8C0K9/3hJSVJRp7OhaMOu47mNtYu8gUr7hEunEcbhdOKKYTsV/ JliF2SA+4yvgPxRd7Lazj3ENQGGxU0iVbegPtlxjA4D8xNP/nsgKkPd3L0DzkN2sSE9OZFeAzX9PRj 5CNm+LjlLl1qAjM4QNM9jA7ZaFz6os61PIaT9yvtGAseWBERrNqH3Yp3RWfQ7N5u5sUMX/EjyVZogV p/bHA7t27auqiZ6Mq/wtpY5n4Bp1OSUzXcjGtQpZTC3DZCd8JX2Koo0WFxsf27s0roI+hbxwGC4fVH /olm76sq2clZIbxcRCRjFeXo2A8+rB8GOvtaps X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Received-SPF: pass client-ip=66.111.4.27; envelope-from=its@irrelevant.dk; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Klaus Jensen If the zone reset operation is cancelled but the block unmap operation completes normally, the callback will continue resetting the next zone since it neglects to check iocb->ret which will have been set to -ECANCELED. Make sure that this is checked and bail out if an error is present. Secondly, fix a potential use-after-free by removing the bottom half and enqueuing the completion directly. Fixes: 63d96e4ffd71 ("hw/nvme: reimplement zone reset to allow cancellation") Reviewed-by: Keith Busch Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 36 +++++++++++------------------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index fede5af6afd0..bf4abf73f765 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -3712,7 +3712,6 @@ typedef struct NvmeZoneResetAIOCB { BlockAIOCB common; BlockAIOCB *aiocb; NvmeRequest *req; - QEMUBH *bh; int ret; bool all; @@ -3741,17 +3740,6 @@ static const AIOCBInfo nvme_zone_reset_aiocb_info = { .cancel_async = nvme_zone_reset_cancel, }; -static void nvme_zone_reset_bh(void *opaque) -{ - NvmeZoneResetAIOCB *iocb = opaque; - - iocb->common.cb(iocb->common.opaque, iocb->ret); - - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; - qemu_aio_unref(iocb); -} - static void nvme_zone_reset_cb(void *opaque, int ret); static void nvme_zone_reset_epilogue_cb(void *opaque, int ret) @@ -3762,14 +3750,8 @@ static void nvme_zone_reset_epilogue_cb(void *opaque, int ret) int64_t moff; int count; - if (ret < 0) { - nvme_zone_reset_cb(iocb, ret); - return; - } - - if (!ns->lbaf.ms) { - nvme_zone_reset_cb(iocb, 0); - return; + if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) { + goto out; } moff = nvme_moff(ns, iocb->zone->d.zslba); @@ -3779,6 +3761,9 @@ static void nvme_zone_reset_epilogue_cb(void *opaque, int ret) BDRV_REQ_MAY_UNMAP, nvme_zone_reset_cb, iocb); return; + +out: + nvme_zone_reset_cb(iocb, ret); } static void nvme_zone_reset_cb(void *opaque, int ret) @@ -3787,7 +3772,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret) NvmeRequest *req = iocb->req; NvmeNamespace *ns = req->ns; - if (ret < 0) { + if (iocb->ret < 0) { + goto done; + } else if (ret < 0) { iocb->ret = ret; goto done; } @@ -3835,9 +3822,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret) done: iocb->aiocb = NULL; - if (iocb->bh) { - qemu_bh_schedule(iocb->bh); - } + + iocb->common.cb(iocb->common.opaque, iocb->ret); + qemu_aio_unref(iocb); } static uint16_t nvme_zone_mgmt_send_zrwa_flush(NvmeCtrl *n, NvmeZone *zone, @@ -3942,7 +3929,6 @@ static uint16_t nvme_zone_mgmt_send(NvmeCtrl *n, NvmeRequest *req) nvme_misc_cb, req); iocb->req = req; - iocb->bh = qemu_bh_new(nvme_zone_reset_bh, iocb); iocb->ret = 0; iocb->all = all; iocb->idx = zone_idx; From patchwork Thu Dec 1 16:50:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klaus Jensen X-Patchwork-Id: 13061575 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7AF27C43217 for ; Thu, 1 Dec 2022 16:52:07 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p0mlz-0000M1-7P; Thu, 01 Dec 2022 11:50:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlv-0000Hm-Eq; Thu, 01 Dec 2022 11:50:51 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlr-00011X-IF; Thu, 01 Dec 2022 11:50:51 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 02E605C0199; Thu, 1 Dec 2022 11:50:36 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Thu, 01 Dec 2022 11:50:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1669913435; x= 1669999835; bh=xhzJtcCUyy85UyC2FNJXI7BUgPe5ixAUSRRVPcBbq3Y=; b=q u1v2GUbPtSoEO0pnbLtSyiij1tE06PC570MFoDp1o/fNRhqFExEQXrMQERYA3jNT 4o5TF+JYutNiIQLh/E03pKTHi+/4pa6fD2cOpmwMoqDW5eMkJiyblG+hewdkWWCx A7i7YCBxXPHlLEyKIe9l+sBbLk5XI+ivz1RocIsNRRLU88zQjh6zN5I2i92drn5H nTf97cpLYllT690qbL27ejcaGkhxz0NyDFEVcQspOpLGWiZFbA04/6763Y6bZI5t r2D6l9QcAcddikBrzX6zQUzFgQmcGXfVNznD7PPx6aRnJqG/KplfnDrOxsmNPYD2 WmGE3XYYPsSr5IYiKnPTA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669913435; x=1669999835; bh=xhzJtcCUyy85U yC2FNJXI7BUgPe5ixAUSRRVPcBbq3Y=; b=usUb5ns2q1s4g5nzdvxeLke+9/66r pa/bIdcpINeAsKWsAG5vlZXL2zOa9hSEzCeBM4TSch+dM/u6ZMPW+gh+Va3Kevkh P+S0byt0qhMQ4bP6B9Rdjl55U/tSqgNzConqNNj9qVw0ec1GK1ffublGEOv4Vvjb e6ghk2htjpC/ua2iAPGzNfhrUaTYeu7i07ZkjyWuX1/EwxstuwnGYJwfrvWSYzZo JLwgmlvFZAhkUlQcnyly1leieI5eP2fXJJGKR3bcXhYg9ajoif9iG+7Ojw9Tp23G GYSj+hDQZhecJAyFRFDq2MQ8XaMiKJ75naVJRPiBedWrc9E6erbm8vnrQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdelgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Dec 2022 11:50:34 -0500 (EST) From: Klaus Jensen To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Keith Busch , Klaus Jensen , Klaus Jensen Subject: [PULL for-7.2 4/5] hw/nvme: fix aio cancel in dsm Date: Thu, 1 Dec 2022 17:50:23 +0100 Message-Id: <20221201165024.51018-5-its@irrelevant.dk> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221201165024.51018-1-its@irrelevant.dk> References: <20221201165024.51018-1-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3673; i=k.jensen@samsung.com; h=from:subject; bh=NgJITmtDtdnGN4ssoFa45yM5GbM7YaoerPemTnHoVrc=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGOI21C+o5rlXlM2jTM8CkCj/XNQUWEgdBug9sqk RE5HOym0w4kBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjiNtQAAoJEE3hrzFtTw3p6r EIAK20PFdRANAYjGgpgrOXukdeLjsRxyDQnw1VpCYtnHQz/1T0dxsAw7DSPt93U6dqtp8rBI3SZ5QZ 9Ydkl9PahEKtMfZpgjEQgVP0Lkcqigzeb6DXz2L0BnvS9Z+CKqKqjqqIrGe/MRsTvPAmPBhNSTf3Wp U3DeMOkZH9F0LBfUki56Y/BXShlHrUrhg1Tj4/dHhP6wSCGslXeI69lxZOcYINkDau5XaBKxPLoLlb ie7LQwl7N9Pk8kkSBhcONoyutbYZuBhPgP8cMIseO8vQOhle9pdHj7C5LHPiV8H+gQLp3mioedPXgw +f36DFCW5DD8UCpQl870FO4qaEQgpOddznHKFi X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Received-SPF: pass client-ip=66.111.4.27; envelope-from=its@irrelevant.dk; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Klaus Jensen When the DSM operation is cancelled asynchronously, we set iocb->ret to -ECANCELED. However, the callback function only checks the return value of the completed aio, which may have completed succesfully prior to the cancellation and thus the callback ends up continuing the dsm operation instead of bailing out. Fix this. Secondly, fix a potential use-after-free by removing the bottom half and enqueuing the completion directly. Fixes: d7d1474fd85d ("hw/nvme: reimplement dsm to allow cancellation") Reviewed-by: Keith Busch Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 34 ++++++++-------------------------- 1 file changed, 8 insertions(+), 26 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index bf4abf73f765..e847b89461f8 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -2329,7 +2329,6 @@ typedef struct NvmeDSMAIOCB { BlockAIOCB common; BlockAIOCB *aiocb; NvmeRequest *req; - QEMUBH *bh; int ret; NvmeDsmRange *range; @@ -2351,7 +2350,7 @@ static void nvme_dsm_cancel(BlockAIOCB *aiocb) } else { /* * We only reach this if nvme_dsm_cancel() has already been called or - * the command ran to completion and nvme_dsm_bh is scheduled to run. + * the command ran to completion. */ assert(iocb->idx == iocb->nr); } @@ -2362,17 +2361,6 @@ static const AIOCBInfo nvme_dsm_aiocb_info = { .cancel_async = nvme_dsm_cancel, }; -static void nvme_dsm_bh(void *opaque) -{ - NvmeDSMAIOCB *iocb = opaque; - - iocb->common.cb(iocb->common.opaque, iocb->ret); - - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; - qemu_aio_unref(iocb); -} - static void nvme_dsm_cb(void *opaque, int ret); static void nvme_dsm_md_cb(void *opaque, int ret) @@ -2384,16 +2372,10 @@ static void nvme_dsm_md_cb(void *opaque, int ret) uint64_t slba; uint32_t nlb; - if (ret < 0) { - iocb->ret = ret; + if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) { goto done; } - if (!ns->lbaf.ms) { - nvme_dsm_cb(iocb, 0); - return; - } - range = &iocb->range[iocb->idx - 1]; slba = le64_to_cpu(range->slba); nlb = le32_to_cpu(range->nlb); @@ -2406,7 +2388,6 @@ static void nvme_dsm_md_cb(void *opaque, int ret) ret = nvme_block_status_all(ns, slba, nlb, BDRV_BLOCK_ZERO); if (ret) { if (ret < 0) { - iocb->ret = ret; goto done; } @@ -2420,8 +2401,7 @@ static void nvme_dsm_md_cb(void *opaque, int ret) return; done: - iocb->aiocb = NULL; - qemu_bh_schedule(iocb->bh); + nvme_dsm_cb(iocb, ret); } static void nvme_dsm_cb(void *opaque, int ret) @@ -2434,7 +2414,9 @@ static void nvme_dsm_cb(void *opaque, int ret) uint64_t slba; uint32_t nlb; - if (ret < 0) { + if (iocb->ret < 0) { + goto done; + } else if (ret < 0) { iocb->ret = ret; goto done; } @@ -2468,7 +2450,8 @@ next: done: iocb->aiocb = NULL; - qemu_bh_schedule(iocb->bh); + iocb->common.cb(iocb->common.opaque, iocb->ret); + qemu_aio_unref(iocb); } static uint16_t nvme_dsm(NvmeCtrl *n, NvmeRequest *req) @@ -2486,7 +2469,6 @@ static uint16_t nvme_dsm(NvmeCtrl *n, NvmeRequest *req) nvme_misc_cb, req); iocb->req = req; - iocb->bh = qemu_bh_new(nvme_dsm_bh, iocb); iocb->ret = 0; iocb->range = g_new(NvmeDsmRange, nr); iocb->nr = nr; From patchwork Thu Dec 1 16:50:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klaus Jensen X-Patchwork-Id: 13061574 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0BFF8C4321E for ; Thu, 1 Dec 2022 16:51:57 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p0mlz-0000Ly-68; Thu, 01 Dec 2022 11:50:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlx-0000Iv-5g; Thu, 01 Dec 2022 11:50:53 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlr-00011j-J1; Thu, 01 Dec 2022 11:50:52 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 768A35C019D; Thu, 1 Dec 2022 11:50:37 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 01 Dec 2022 11:50:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1669913437; x= 1669999837; bh=FX7J8/sRMp1mCRrCC1Kf8RXdoMZyyoqm/n8QvBjbHpY=; b=a 8Qv9NegRBd8a2KQUSrJw3QbwgoC3jvjV7wjNCrWqgqT9hrjCNHsi/AIGivCe3Wjo MreKKEzpENcl/ECnqrjD5lU9cn91xzDDbEajYtbwzaaNu4S7hfPn9/S+bTHvjClU QInaZrOAwPUrUJ8StDi0tM0qC0Uh4hENDEERT9DRbEyvtX7WucFm8CA68YesDYaU WrwtS2+VqWJgg9a4b/+F17rdNQDlQpHsg31gMQJkGOxZ5GmMu81l156qfnZsb+jR zILH9h0R9crMpe0GsNpPLjCGaP3rQG5BWAV/JjBDVLtM5T7OROVSQ1NjZhTA0mRC LebRAbndOCEv+P9qKnfyQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669913437; x=1669999837; bh=FX7J8/sRMp1mC RrCC1Kf8RXdoMZyyoqm/n8QvBjbHpY=; b=NDMcCwULaPC6QuKaO1sIuz2m91jw7 1DVzibKkL5BCxdGhYhGEGBQKVAtSkF6omKuYFlnH7INZ7a6Hpqv/AZexdb2PkQov x2+TNrdKSCcRMCfR+G9hQu3KpWtdk65UWHVk3URdy5hQHYOVYmTihGqiQWysZOJ2 O5TH11q3ykf/52PpsqZs1TPIyUAdFz4A0nKicdHgE5Rnip94MHPBTbcMowMkNVVv r2XA+WJdnfdhT2We0SI5NlhE1JNC69+wcaOtovxkPVMvV69J1m5zPyrcTVLIl2Gi /W+bpety522lyYxdC1UsK1lIhvwMAluC62ybn6xHQ48tgz5an2kPth7qg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdelfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedunecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Dec 2022 11:50:36 -0500 (EST) From: Klaus Jensen To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Keith Busch , Klaus Jensen , Klaus Jensen Subject: [PULL for-7.2 5/5] hw/nvme: remove copy bh scheduling Date: Thu, 1 Dec 2022 17:50:24 +0100 Message-Id: <20221201165024.51018-6-its@irrelevant.dk> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221201165024.51018-1-its@irrelevant.dk> References: <20221201165024.51018-1-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5233; i=k.jensen@samsung.com; h=from:subject; bh=YYP8uBStgeLY45WB9aMw/UdyJ2BfC/rjU1mMLPXzeGg=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGOI21C48iOb5uEiqkb1LzWHeeKapErgHQOUS+0J /scSjXxaNokBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjiNtQAAoJEE3hrzFtTw3pCU UIAKhy/IgKeV44j/KE9INeB8rhU0mSZabgE1ZSjn2NdKf5kHnE/MVprPaUqv21yJLg5bfaNqGuPih2 LddHCocFtZhATumZX+aVkxSyqYnQnkTHzV6nr9fRGfhxqPlFlCxqfu0N+7goN9Xy3wTaRWV4lysvM7 axT21a2rXaYLP78LK6/BElnNXY1bHckJl5CRG2TRSBnA/CWiVACor7THcfGczXpTQBjyofp8aMy6zY s1WkoOrlXtYU5M/Yud0N0jWodFfiZga9zoGjoi8ZnfsNovNHmkbPWtZCMegPuKaieKsptOm2Qptzso bzq7kc3R6m/C/mQa0kvNHS6RUKGTtfuIC3pLSg X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Received-SPF: pass client-ip=66.111.4.27; envelope-from=its@irrelevant.dk; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Klaus Jensen Fix a potential use-after-free by removing the bottom half and enqueuing the completion directly. Fixes: 796d20681d9b ("hw/nvme: reimplement the copy command to allow aio cancellation") Reviewed-by: Keith Busch Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 63 +++++++++++--------------------------------------- 1 file changed, 14 insertions(+), 49 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index e847b89461f8..e54276dc1dc7 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -2552,7 +2552,6 @@ typedef struct NvmeCopyAIOCB { BlockAIOCB common; BlockAIOCB *aiocb; NvmeRequest *req; - QEMUBH *bh; int ret; void *ranges; @@ -2590,9 +2589,8 @@ static const AIOCBInfo nvme_copy_aiocb_info = { .cancel_async = nvme_copy_cancel, }; -static void nvme_copy_bh(void *opaque) +static void nvme_copy_done(NvmeCopyAIOCB *iocb) { - NvmeCopyAIOCB *iocb = opaque; NvmeRequest *req = iocb->req; NvmeNamespace *ns = req->ns; BlockAcctStats *stats = blk_get_stats(ns->blkconf.blk); @@ -2604,9 +2602,6 @@ static void nvme_copy_bh(void *opaque) qemu_iovec_destroy(&iocb->iov); g_free(iocb->bounce); - qemu_bh_delete(iocb->bh); - iocb->bh = NULL; - if (iocb->ret < 0) { block_acct_failed(stats, &iocb->acct.read); block_acct_failed(stats, &iocb->acct.write); @@ -2619,7 +2614,7 @@ static void nvme_copy_bh(void *opaque) qemu_aio_unref(iocb); } -static void nvme_copy_cb(void *opaque, int ret); +static void nvme_do_copy(NvmeCopyAIOCB *iocb); static void nvme_copy_source_range_parse_format0(void *ranges, int idx, uint64_t *slba, uint32_t *nlb, @@ -2731,7 +2726,7 @@ static void nvme_copy_out_completed_cb(void *opaque, int ret) iocb->idx++; iocb->slba += nlb; out: - nvme_copy_cb(iocb, iocb->ret); + nvme_do_copy(iocb); } static void nvme_copy_out_cb(void *opaque, int ret) @@ -2743,16 +2738,8 @@ static void nvme_copy_out_cb(void *opaque, int ret) size_t mlen; uint8_t *mbounce; - if (ret < 0) { - iocb->ret = ret; + if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) { goto out; - } else if (iocb->ret < 0) { - goto out; - } - - if (!ns->lbaf.ms) { - nvme_copy_out_completed_cb(iocb, 0); - return; } nvme_copy_source_range_parse(iocb->ranges, iocb->idx, iocb->format, NULL, @@ -2771,7 +2758,7 @@ static void nvme_copy_out_cb(void *opaque, int ret) return; out: - nvme_copy_cb(iocb, ret); + nvme_copy_out_completed_cb(iocb, ret); } static void nvme_copy_in_completed_cb(void *opaque, int ret) @@ -2865,15 +2852,9 @@ static void nvme_copy_in_completed_cb(void *opaque, int ret) invalid: req->status = status; - iocb->aiocb = NULL; - if (iocb->bh) { - qemu_bh_schedule(iocb->bh); - } - - return; - + iocb->ret = -1; out: - nvme_copy_cb(iocb, ret); + nvme_do_copy(iocb); } static void nvme_copy_in_cb(void *opaque, int ret) @@ -2884,16 +2865,8 @@ static void nvme_copy_in_cb(void *opaque, int ret) uint64_t slba; uint32_t nlb; - if (ret < 0) { - iocb->ret = ret; + if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) { goto out; - } else if (iocb->ret < 0) { - goto out; - } - - if (!ns->lbaf.ms) { - nvme_copy_in_completed_cb(iocb, 0); - return; } nvme_copy_source_range_parse(iocb->ranges, iocb->idx, iocb->format, &slba, @@ -2909,12 +2882,11 @@ static void nvme_copy_in_cb(void *opaque, int ret) return; out: - nvme_copy_cb(iocb, iocb->ret); + nvme_copy_in_completed_cb(iocb, ret); } -static void nvme_copy_cb(void *opaque, int ret) +static void nvme_do_copy(NvmeCopyAIOCB *iocb) { - NvmeCopyAIOCB *iocb = opaque; NvmeRequest *req = iocb->req; NvmeNamespace *ns = req->ns; uint64_t slba; @@ -2922,10 +2894,7 @@ static void nvme_copy_cb(void *opaque, int ret) size_t len; uint16_t status; - if (ret < 0) { - iocb->ret = ret; - goto done; - } else if (iocb->ret < 0) { + if (iocb->ret < 0) { goto done; } @@ -2972,14 +2941,11 @@ static void nvme_copy_cb(void *opaque, int ret) invalid: req->status = status; + iocb->ret = -1; done: - iocb->aiocb = NULL; - if (iocb->bh) { - qemu_bh_schedule(iocb->bh); - } + nvme_copy_done(iocb); } - static uint16_t nvme_copy(NvmeCtrl *n, NvmeRequest *req) { NvmeNamespace *ns = req->ns; @@ -3049,7 +3015,6 @@ static uint16_t nvme_copy(NvmeCtrl *n, NvmeRequest *req) } iocb->req = req; - iocb->bh = qemu_bh_new(nvme_copy_bh, iocb); iocb->ret = 0; iocb->nr = nr; iocb->idx = 0; @@ -3066,7 +3031,7 @@ static uint16_t nvme_copy(NvmeCtrl *n, NvmeRequest *req) BLOCK_ACCT_WRITE); req->aiocb = &iocb->common; - nvme_copy_cb(iocb, 0); + nvme_do_copy(iocb); return NVME_NO_COMPLETE;