mirror of
https://github.com/xemu-project/xemu.git
synced 2024-11-30 23:10:38 +00:00
1d719ddc35
bdrv_aio_cancel() calls aio_poll() on the AioContext for the given I/O
request until it has completed. ENOMEDIUM requests are special because
there is no BlockDriverState when the drive has no medium!
Define a .get_aio_context() function for BlkAioEmAIOCB requests so that
bdrv_aio_cancel() can find the AioContext where the completion BH is
pending. Without this function bdrv_aio_cancel() aborts on ENOMEDIUM
requests!
libFuzzer triggered the following assertion:
cat << EOF | qemu-system-i386 -M pc-q35-5.0 \
-nographic -monitor none -serial none \
-qtest stdio -trace ide\*
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe106c000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x7
outl 0xcf8 0x8000fb20
write 0x0 0x3 0x2780e7
write 0xe106c22c 0xd 0x1130c218021130c218021130c2
write 0xe106c218 0x15 0x110010110010110010110010110010110010110010
EOF
ide_exec_cmd IDE exec cmd: bus 0x56170a77a2b8; state 0x56170a77a340; cmd 0xe7
ide_reset IDEstate 0x56170a77a340
Aborted (core dumped)
(gdb) bt
#1 0x00007ffff4f93895 in abort () at /lib64/libc.so.6
#2 0x0000555555dc6c00 in bdrv_aio_cancel (acb=0x555556765550) at block/io.c:2745
#3 0x0000555555dac202 in blk_aio_cancel (acb=0x555556765550) at block/block-backend.c:1546
#4 0x0000555555b1bd74 in ide_reset (s=0x555557213340) at hw/ide/core.c:1318
#5 0x0000555555b1e3a1 in ide_bus_reset (bus=0x5555572132b8) at hw/ide/core.c:2422
#6 0x0000555555b2aa27 in ahci_reset_port (s=0x55555720eb50, port=2) at hw/ide/ahci.c:650
#7 0x0000555555b29fd7 in ahci_port_write (s=0x55555720eb50, port=2, offset=44, val=16) at hw/ide/ahci.c:360
#8 0x0000555555b2a564 in ahci_mem_write (opaque=0x55555720eb50, addr=556, val=16, size=1) at hw/ide/ahci.c:513
#9 0x000055555598415b in memory_region_write_accessor (mr=0x55555720eb80, addr=556, value=0x7fffffffb838, size=1, shift=0, mask=255, attrs=...) at softmmu/memory.c:483
Looking at bdrv_aio_cancel:
2728 /* async I/Os */
2729
2730 void bdrv_aio_cancel(BlockAIOCB *acb)
2731 {
2732 qemu_aio_ref(acb);
2733 bdrv_aio_cancel_async(acb);
2734 while (acb->refcnt > 1) {
2735 if (acb->aiocb_info->get_aio_context) {
2736 aio_poll(acb->aiocb_info->get_aio_context(acb), true);
2737 } else if (acb->bs) {
2738 /* qemu_aio_ref and qemu_aio_unref are not thread-safe, so
2739 * assert that we're not using an I/O thread. Thread-safe
2740 * code should use bdrv_aio_cancel_async exclusively.
2741 */
2742 assert(bdrv_get_aio_context(acb->bs) == qemu_get_aio_context());
2743 aio_poll(bdrv_get_aio_context(acb->bs), true);
2744 } else {
2745 abort(); <===============
2746 }
2747 }
2748 qemu_aio_unref(acb);
2749 }
Fixes:
|
||
|---|---|---|
| .. | ||
| monitor | ||
| accounting.c | ||
| aio_task.c | ||
| amend.c | ||
| backup-top.c | ||
| backup-top.h | ||
| backup.c | ||
| blkdebug.c | ||
| blklogwrites.c | ||
| blkreplay.c | ||
| blkverify.c | ||
| block-backend.c | ||
| block-copy.c | ||
| bochs.c | ||
| cloop.c | ||
| commit.c | ||
| copy-on-read.c | ||
| create.c | ||
| crypto.c | ||
| crypto.h | ||
| curl.c | ||
| dirty-bitmap.c | ||
| dmg-bz2.c | ||
| dmg-lzfse.c | ||
| dmg.c | ||
| dmg.h | ||
| file-posix.c | ||
| file-win32.c | ||
| filter-compress.c | ||
| gluster.c | ||
| io_uring.c | ||
| io.c | ||
| iscsi-opts.c | ||
| iscsi.c | ||
| linux-aio.c | ||
| Makefile.objs | ||
| mirror.c | ||
| nbd.c | ||
| nfs.c | ||
| null.c | ||
| nvme.c | ||
| parallels.c | ||
| parallels.h | ||
| qapi-sysemu.c | ||
| qapi.c | ||
| qcow2-bitmap.c | ||
| qcow2-cache.c | ||
| qcow2-cluster.c | ||
| qcow2-refcount.c | ||
| qcow2-snapshot.c | ||
| qcow2-threads.c | ||
| qcow2.c | ||
| qcow2.h | ||
| qcow.c | ||
| qed-check.c | ||
| qed-cluster.c | ||
| qed-l2-cache.c | ||
| qed-table.c | ||
| qed.c | ||
| qed.h | ||
| quorum.c | ||
| raw-format.c | ||
| rbd.c | ||
| replication.c | ||
| sheepdog.c | ||
| snapshot.c | ||
| ssh.c | ||
| stream.c | ||
| throttle-groups.c | ||
| throttle.c | ||
| trace-events | ||
| vdi.c | ||
| vhdx-endian.c | ||
| vhdx-log.c | ||
| vhdx.c | ||
| vhdx.h | ||
| vmdk.c | ||
| vpc.c | ||
| vvfat.c | ||
| win32-aio.c | ||
| write-threshold.c | ||