mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-07-22 19:04:26 +00:00
hw/nvme: fix aio cancel in zone reset
If the zone reset operation is cancelled but the block unmap operation
completes normally, the callback will continue resetting the next zone
since it neglects to check iocb->ret which will have been set to
-ECANCELED. Make sure that this is checked and bail out if an error is
present.
Secondly, fix a potential use-after-free by removing the bottom half and
enqueuing the completion directly.
Fixes: 63d96e4ffd ("hw/nvme: reimplement zone reset to allow cancellation")
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
This commit is contained in:
Klaus Jensen
parent
3dbc1708ea
commit
36a251c346
|
|
@ -3712,7 +3712,6 @@ typedef struct NvmeZoneResetAIOCB {
|
|||
BlockAIOCB common;
|
||||
BlockAIOCB *aiocb;
|
||||
NvmeRequest *req;
|
||||
QEMUBH *bh;
|
||||
int ret;
|
||||
|
||||
bool all;
|
||||
|
|
@ -3741,17 +3740,6 @@ static const AIOCBInfo nvme_zone_reset_aiocb_info = {
|
|||
.cancel_async = nvme_zone_reset_cancel,
|
||||
};
|
||||
|
||||
static void nvme_zone_reset_bh(void *opaque)
|
||||
{
|
||||
NvmeZoneResetAIOCB *iocb = opaque;
|
||||
|
||||
iocb->common.cb(iocb->common.opaque, iocb->ret);
|
||||
|
||||
qemu_bh_delete(iocb->bh);
|
||||
iocb->bh = NULL;
|
||||
qemu_aio_unref(iocb);
|
||||
}
|
||||
|
||||
static void nvme_zone_reset_cb(void *opaque, int ret);
|
||||
|
||||
static void nvme_zone_reset_epilogue_cb(void *opaque, int ret)
|
||||
|
|
@ -3762,14 +3750,8 @@ static void nvme_zone_reset_epilogue_cb(void *opaque, int ret)
|
|||
int64_t moff;
|
||||
int count;
|
||||
|
||||
if (ret < 0) {
|
||||
nvme_zone_reset_cb(iocb, ret);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!ns->lbaf.ms) {
|
||||
nvme_zone_reset_cb(iocb, 0);
|
||||
return;
|
||||
if (ret < 0 || iocb->ret < 0 || !ns->lbaf.ms) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
moff = nvme_moff(ns, iocb->zone->d.zslba);
|
||||
|
|
@ -3779,6 +3761,9 @@ static void nvme_zone_reset_epilogue_cb(void *opaque, int ret)
|
|||
BDRV_REQ_MAY_UNMAP,
|
||||
nvme_zone_reset_cb, iocb);
|
||||
return;
|
||||
|
||||
out:
|
||||
nvme_zone_reset_cb(iocb, ret);
|
||||
}
|
||||
|
||||
static void nvme_zone_reset_cb(void *opaque, int ret)
|
||||
|
|
@ -3787,7 +3772,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret)
|
|||
NvmeRequest *req = iocb->req;
|
||||
NvmeNamespace *ns = req->ns;
|
||||
|
||||
if (ret < 0) {
|
||||
if (iocb->ret < 0) {
|
||||
goto done;
|
||||
} else if (ret < 0) {
|
||||
iocb->ret = ret;
|
||||
goto done;
|
||||
}
|
||||
|
|
@ -3835,9 +3822,9 @@ static void nvme_zone_reset_cb(void *opaque, int ret)
|
|||
|
||||
done:
|
||||
iocb->aiocb = NULL;
|
||||
if (iocb->bh) {
|
||||
qemu_bh_schedule(iocb->bh);
|
||||
}
|
||||
|
||||
iocb->common.cb(iocb->common.opaque, iocb->ret);
|
||||
qemu_aio_unref(iocb);
|
||||
}
|
||||
|
||||
static uint16_t nvme_zone_mgmt_send_zrwa_flush(NvmeCtrl *n, NvmeZone *zone,
|
||||
|
|
@ -3942,7 +3929,6 @@ static uint16_t nvme_zone_mgmt_send(NvmeCtrl *n, NvmeRequest *req)
|
|||
nvme_misc_cb, req);
|
||||
|
||||
iocb->req = req;
|
||||
iocb->bh = qemu_bh_new(nvme_zone_reset_bh, iocb);
|
||||
iocb->ret = 0;
|
||||
iocb->all = all;
|
||||
iocb->idx = zone_idx;
|
||||
|
|
|
|||
Loading…
Reference in a new issue