[Qemu-devel] [PATCH] ide: fix double free

Wed, 02 Jul 2014 01:52:19 -0700 

From: Chenliang <chenlian...@huawei.com>

Qemu may double free when excutes command "reboot -f" in vm.
One path is bdrv_aio_cancel(), the other is dma_bdrv_cb()
callback prcocess.

Signed-off-by: Chenliang <chenlian...@huawei.com>
Signed-off-by: Gonglei <arei.gong...@huawei.com>
---
Qemu crash bt:

Program received signal SIGABRT, Aborted.
0x00007f3cb2c76b55 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f3cb2c76b55 in raise () from /lib64/libc.so.6
#1  0x00007f3cb2c78131 in abort () from /lib64/libc.so.6
#2  0x00007f3cb2cb4e0f in __libc_message () from /lib64/libc.so.6
#3  0x00007f3cb2cba618 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007f3cb2cbf65c in free () from /lib64/libc.so.6
#5  0x00007f3cb54146f2 in free_and_trace (mem=0x7f3cb63f3220) at vl.c:3078
#6  0x00007f3cb52126cd in qemu_aio_release (p=0x7f3cb63f3220) at block.c:4262
#7  0x00007f3cb525de5e in dma_complete (dbs=0x7f3cb63f3220, ret=0) at 
dma-helpers.c:135
#8  0x00007f3cb525df3d in dma_bdrv_cb (opaque=0x7f3cb63f3220, ret=0) at 
dma-helpers.c:152
#9  0x00007f3cb5212102 in bdrv_co_em_bh (opaque=0x7f3cb6398980) at block.c:4127
#10 0x00007f3cb51f6cef in aio_bh_poll (ctx=0x7f3cb622a8f0) at async.c:70
#11 0x00007f3cb51f695a in aio_poll (ctx=0x7f3cb622a8f0, blocking=false) at 
aio-posix.c:185
#12 0x00007f3cb51f7056 in aio_ctx_dispatch (source=0x7f3cb622a8f0, 
callback=0x0, user_data=0x0)
    at async.c:167
#13 0x00007f3cb48b969a in g_main_context_dispatch () from 
/usr/lib64/libglib-2.0.so.0
#14 0x00007f3cb538956d in glib_pollfds_poll () at main-loop.c:188
#15 0x00007f3cb538965e in os_host_main_loop_wait (timeout=0) at main-loop.c:233
#16 0x00007f3cb5389718 in main_loop_wait (nonblocking=0) at main-loop.c:478
#17 0x00007f3cb5411212 in main_loop () at vl.c:2319
#18 0x00007f3cb54186ba in main (argc=57, argv=0x7fff5510c968, 
envp=0x7fff5510cb38) at vl.c:4803
---
 hw/ide/core.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 3a38f1e..76d65c1 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2050,11 +2050,9 @@ void ide_bus_reset(IDEBus *bus)
 
     /* pending async DMA */
     if (bus->dma->aiocb) {
-#ifdef DEBUG_AIO
-        printf("aio_cancel\n");
-#endif
-        bdrv_aio_cancel(bus->dma->aiocb);
-        bus->dma->aiocb = NULL;
+        bdrv_drain_all();
+        bdrv_flush_all();
+        assert(bus->dma->aiocb == NULL);
     }
 
     /* reset dma provider too */
-- 
1.7.12.4

Reply via email to