scsi: protect req->aiocb with AioContext lock
If requests are being processed in the IOThread when a SCSIDevice is unplugged, scsi_device_purge_requests() -> scsi_req_cancel_async() races with I/O completion callbacks. Both threads load and store req->aiocb. This can lead to assert(r->req.aiocb == NULL) failures and undefined behavior. Protect r->req.aiocb with the AioContext lock to prevent the race. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20230221212218.1378734-2-stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This commit is contained in:
parent
8ab8140a04
commit
7b7fc3d010
@ -273,9 +273,11 @@ static void scsi_aio_complete(void *opaque, int ret)
|
|||||||
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
||||||
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
|
||||||
if (scsi_disk_req_check_error(r, ret, true)) {
|
if (scsi_disk_req_check_error(r, ret, true)) {
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@ -357,10 +359,11 @@ static void scsi_dma_complete(void *opaque, int ret)
|
|||||||
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
||||||
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
||||||
} else {
|
} else {
|
||||||
@ -393,10 +396,11 @@ static void scsi_read_complete(void *opaque, int ret)
|
|||||||
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
||||||
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
||||||
} else {
|
} else {
|
||||||
@ -446,10 +450,11 @@ static void scsi_do_read_cb(void *opaque, int ret)
|
|||||||
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
||||||
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
||||||
|
|
||||||
assert (r->req.aiocb != NULL);
|
assert (r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
||||||
} else {
|
} else {
|
||||||
@ -530,10 +535,11 @@ static void scsi_write_complete(void * opaque, int ret)
|
|||||||
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
|
||||||
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
||||||
|
|
||||||
assert (r->req.aiocb != NULL);
|
assert (r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
|
||||||
} else {
|
} else {
|
||||||
@ -1737,10 +1743,11 @@ static void scsi_unmap_complete(void *opaque, int ret)
|
|||||||
SCSIDiskReq *r = data->r;
|
SCSIDiskReq *r = data->r;
|
||||||
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
|
||||||
if (scsi_disk_req_check_error(r, ret, true)) {
|
if (scsi_disk_req_check_error(r, ret, true)) {
|
||||||
scsi_req_unref(&r->req);
|
scsi_req_unref(&r->req);
|
||||||
g_free(data);
|
g_free(data);
|
||||||
@ -1816,9 +1823,11 @@ static void scsi_write_same_complete(void *opaque, int ret)
|
|||||||
SCSIDiskReq *r = data->r;
|
SCSIDiskReq *r = data->r;
|
||||||
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
|
|
||||||
if (scsi_disk_req_check_error(r, ret, true)) {
|
if (scsi_disk_req_check_error(r, ret, true)) {
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
@ -111,10 +111,11 @@ static void scsi_command_complete(void *opaque, int ret)
|
|||||||
SCSIGenericReq *r = (SCSIGenericReq *)opaque;
|
SCSIGenericReq *r = (SCSIGenericReq *)opaque;
|
||||||
SCSIDevice *s = r->req.dev;
|
SCSIDevice *s = r->req.dev;
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->conf.blk));
|
|
||||||
scsi_command_complete_noio(r, ret);
|
scsi_command_complete_noio(r, ret);
|
||||||
aio_context_release(blk_get_aio_context(s->conf.blk));
|
aio_context_release(blk_get_aio_context(s->conf.blk));
|
||||||
}
|
}
|
||||||
@ -269,11 +270,11 @@ static void scsi_read_complete(void * opaque, int ret)
|
|||||||
SCSIDevice *s = r->req.dev;
|
SCSIDevice *s = r->req.dev;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->conf.blk));
|
|
||||||
|
|
||||||
if (ret || r->req.io_canceled) {
|
if (ret || r->req.io_canceled) {
|
||||||
scsi_command_complete_noio(r, ret);
|
scsi_command_complete_noio(r, ret);
|
||||||
goto done;
|
goto done;
|
||||||
@ -386,11 +387,11 @@ static void scsi_write_complete(void * opaque, int ret)
|
|||||||
|
|
||||||
trace_scsi_generic_write_complete(ret);
|
trace_scsi_generic_write_complete(ret);
|
||||||
|
|
||||||
|
aio_context_acquire(blk_get_aio_context(s->conf.blk));
|
||||||
|
|
||||||
assert(r->req.aiocb != NULL);
|
assert(r->req.aiocb != NULL);
|
||||||
r->req.aiocb = NULL;
|
r->req.aiocb = NULL;
|
||||||
|
|
||||||
aio_context_acquire(blk_get_aio_context(s->conf.blk));
|
|
||||||
|
|
||||||
if (ret || r->req.io_canceled) {
|
if (ret || r->req.io_canceled) {
|
||||||
scsi_command_complete_noio(r, ret);
|
scsi_command_complete_noio(r, ret);
|
||||||
goto done;
|
goto done;
|
||||||
|
Loading…
Reference in New Issue
Block a user