qemu/block
Greg Kurz f45280cbf6 block: fix QEMU crash with scsi-hd and drive_del
Removing a drive with drive_del while it is being used to run an I/O
intensive workload can cause QEMU to crash.

An AIO flush can yield at some point:

blk_aio_flush_entry()
 blk_co_flush(blk)
  bdrv_co_flush(blk->root->bs)
   ...
    qemu_coroutine_yield()

and let the HMP command to run, free blk->root and give control
back to the AIO flush:

    hmp_drive_del()
     blk_remove_bs()
      bdrv_root_unref_child(blk->root)
       child_bs = blk->root->bs
       bdrv_detach_child(blk->root)
        bdrv_replace_child(blk->root, NULL)
         blk->root->bs = NULL
        g_free(blk->root) <============== blk->root becomes stale
       bdrv_unref(child_bs)
        bdrv_delete(child_bs)
         bdrv_close()
          bdrv_drained_begin()
           bdrv_do_drained_begin()
            bdrv_drain_recurse()
             aio_poll()
              ...
              qemu_coroutine_switch()

and the AIO flush completion ends up dereferencing blk->root:

  blk_aio_complete()
   scsi_aio_complete()
    blk_get_aio_context(blk)
     bs = blk_bs(blk)
 ie, bs = blk->root ? blk->root->bs : NULL
            ^^^^^
            stale

The problem is that we should avoid making block driver graph
changes while we have in-flight requests. Let's drain all I/O
for this BB before calling bdrv_root_unref_child().

Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-06-18 15:03:25 +02:00
..
accounting.c block/accounting: introduce latency histogram 2018-03-19 14:58:37 -05:00
backup.c job: Add error message for failing jobs 2018-05-30 13:31:01 +02:00
blkdebug.c block: Support BDRV_REQ_WRITE_UNCHANGED in filters 2018-05-15 16:15:21 +02:00
blkreplay.c block: Support BDRV_REQ_WRITE_UNCHANGED in filters 2018-05-15 16:15:21 +02:00
blkverify.c block: Support BDRV_REQ_WRITE_UNCHANGED in filters 2018-05-15 16:15:21 +02:00
block-backend.c block: fix QEMU crash with scsi-hd and drive_del 2018-06-18 15:03:25 +02:00
bochs.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
cloop.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
commit.c job: Add error message for failing jobs 2018-05-30 13:31:01 +02:00
copy-on-read.c block: Support BDRV_REQ_WRITE_UNCHANGED in filters 2018-05-15 16:15:21 +02:00
create.c block/create: Mark blockdev-create stable 2018-05-30 13:31:18 +02:00
crypto.c block: Make remaining uses of qobject input visitor more robust 2018-06-15 14:49:44 +02:00
crypto.h qcow: convert QCow to use QCryptoBlock for encryption 2017-07-11 17:44:56 +02:00
curl.c Move include qemu/option.h from qemu-common.h to actual users 2018-02-09 13:52:16 +01:00
dirty-bitmap.c qapi: add x-block-dirty-bitmap-merge 2018-06-11 14:53:32 -04:00
dmg-bz2.c dmg: Move libbz2 code to dmg-bz2.so 2016-10-07 14:14:06 +02:00
dmg.c block: Deprecate bdrv_set_read_only() and users 2017-11-17 13:35:59 +01:00
dmg.h block: remove "qemu/osdep.h" from header file 2017-12-18 17:07:02 +03:00
file-posix.c block/file-posix: File locking during creation 2018-06-11 16:18:45 +02:00
file-win32.c file-win32: Switch to byte-based callbacks 2018-05-15 16:11:41 +02:00
gluster.c block: Add block-specific QDict header 2018-06-15 14:49:44 +02:00
io.c block: Allow graph changes in bdrv_drain_all_begin/end sections 2018-06-18 15:03:25 +02:00
iscsi-opts.c Move include qemu/option.h from qemu-common.h to actual users 2018-02-09 13:52:16 +01:00
iscsi.c block: Add block-specific QDict header 2018-06-15 14:49:44 +02:00
linux-aio.c block: explicitly acquire aiocontext in aio callbacks that need it 2017-02-21 11:39:39 +00:00
Makefile.objs block: Add COR filter driver 2018-05-15 16:15:21 +02:00
mirror.c block: Really pause block jobs on drain 2018-06-18 15:03:25 +02:00
nbd-client.c nbd/client: Relax handling of large NBD_CMD_BLOCK_STATUS reply 2018-05-04 08:23:39 -05:00
nbd-client.h nbd: BLOCK_STATUS for standard get_block_status function: client part 2018-03-13 15:43:48 -05:00
nbd.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
nfs.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
null.c null: Switch to byte-based read/write 2018-05-15 16:11:41 +02:00
nvme.c qobject: Modify qobject_ref() to return obj 2018-05-04 08:27:53 +02:00
parallels.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
parallels.h Clean up includes 2018-02-09 05:05:11 +01:00
qapi.c qobject: Replace qobject_incref/QINCREF qobject_decref/QDECREF 2018-05-04 08:27:53 +02:00
qcow2-bitmap.c block/qcow2-bitmap: fix free_bitmap_clusters 2018-06-11 16:18:45 +02:00
qcow2-cache.c qcow2: Allow configuring the L2 slice size 2018-02-13 17:00:00 +01:00
qcow2-cluster.c block: use local path for local headers 2018-05-31 04:16:06 +03:00
qcow2-refcount.c qcow2: Repair OFLAG_COPIED when fixing leaks 2018-06-11 16:18:45 +02:00
qcow2-snapshot.c block: use local path for local headers 2018-05-31 04:16:06 +03:00
qcow2.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
qcow2.h qcow2: Give the refcount cache the minimum possible size by default 2018-05-15 16:15:21 +02:00
qcow.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
qed-check.c block: convert bdrv_check callback to coroutine_fn 2018-03-09 15:17:47 +01:00
qed-cluster.c qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
qed-l2-cache.c qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
qed-table.c block: convert bdrv_check callback to coroutine_fn 2018-03-09 15:17:47 +01:00
qed.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
qed.h qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
quorum.c block: Add block-specific QDict header 2018-06-15 14:49:44 +02:00
raw-format.c raw: Implement copy offloading 2018-06-01 14:41:47 +01:00
rbd.c rbd: New parameter key-secret 2018-06-15 14:49:44 +02:00
replication.c job: Move completion and cancellation to Job 2018-05-23 14:30:51 +02:00
sheepdog.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
snapshot.c block: Add block-specific QDict header 2018-06-15 14:49:44 +02:00
ssh.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
stream.c job: Add error message for failing jobs 2018-05-30 13:31:01 +02:00
throttle-groups.c Include less of the generated modular QAPI headers 2018-03-02 13:45:50 -06:00
throttle.c throttle: Fix crash on reopen 2018-06-11 16:18:45 +02:00
trace-events job: Move completion and cancellation to Job 2018-05-23 14:30:51 +02:00
vdi.c block: Make remaining uses of qobject input visitor more robust 2018-06-15 14:49:44 +02:00
vhdx-endian.c block: use local path for local headers 2018-05-31 04:16:06 +03:00
vhdx-log.c block: use local path for local headers 2018-05-31 04:16:06 +03:00
vhdx.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
vhdx.h block: vhdx - update PAYLOAD_BLOCK_UNMAPPED value to match 1.00 spec 2014-12-12 15:42:22 +00:00
vmdk.c vmdk: return ERROR when cluster sector is larger than vmdk limitation 2018-03-26 21:17:24 +02:00
vpc.c block: Factor out qobject_input_visitor_new_flat_confused() 2018-06-15 14:49:44 +02:00
vvfat.c block: ignore_bds_parents parameter for drain functions 2018-06-18 15:03:25 +02:00
vxhs.c block: Add block-specific QDict header 2018-06-15 14:49:44 +02:00
win32-aio.c file-win32: Switch to byte-based callbacks 2018-05-15 16:11:41 +02:00
write-threshold.c Include less of the generated modular QAPI headers 2018-03-02 13:45:50 -06:00