On Fri, Aug 23, 2013 at 09:33:21AM +0200, Paolo Bonzini wrote:
> > (gdb) p *bh
> > $1 = {ctx = 0x0, cb = 0x5555555ffdcd <qemu_gluster_aio_bh>, opaque =
> > 0x7fffd00419c0, next = 0x555556345e70, scheduled = false, idle = false,
> > deleted = true}
>
> This looks like a use-after-free, with bh->ctx corrupted when freeing
> the bottom half. But it's not at all obvious how it can happen.
>
> I suggest using MALLOC_PERTURB_=42 to check this theory (if it is
> correct, most fields will be something like 0x2a2a2a2a2a2a2a2a). But I
> don't see anything clearly wrong in the patch... Thus perhaps it is
> simpler to just remove the unreachable error handling code.
(gdb) p *bh
$1 = {ctx = 0x0, cb = 0x2a2a2a2a2a2a2a2a, opaque = 0x2a2a2a2a2a2a2a2a, next =
0x2a2a2a2a2a2a2a2a, scheduled = false, idle = false, deleted = true}
May be as note above, I should just remove the unreachable error handling
code for now.
Regards,
Bharata.
