On 17/03/2016 16:00, Stefan Hajnoczi wrote: >> > + data = g_new(VirtIOBlockStartData, 1); >> > + data->vblk = vblk; >> > + data->bh = aio_bh_new(s->ctx, virtio_blk_data_plane_start_bh_cb, >> > data); >> > + qemu_bh_schedule(data->bh); >> > + qemu_mutex_unlock(&s->start_stop_lock); >> > return; > This BH usage pattern is dangerous: > > 1. The BH is created and scheduled. > 2. Before the BH executes the device is unrealized. > 3. The data->bh pointer is inaccessible so we have a dangling BH that > will access vblk after vblk has been freed. > > In some cases it can be safe but I don't see why the pattern is safe in > this case. Either the BH needs to hold some sort of reference to keep > vblk alive, or vblk needs to know about pending BHs so they can be > deleted.
You're right. After unrealizing virtio_blk_data_plane_stop has set of vblk->dataplane_started = false, so that's covered. However, you still need an object_ref/object_object_unref pair. That said, Christian wasn't testing hotplug/hot-unplug so this shouldn't matter in his case. Let's see if we can catch the reentrancy with an assertion... Paolo
