laio_init() can fail for a couple of reasons, which will lead to a NULL
pointer dereference in laio_attach_aio_context(), called from
aio_get_linux_aio().
Test case 1:
Set /proc/sys/fs/max-aio-nr to 0. Start a guest with an aio=native
disk.
Result: laio_init() returns NULL due to not being able to allocate
any AIO contexts. This NULL is assigned to ctx->linux_aio and
dereferenced in aio_get_linux_aio.
Test case 2:
Set /proc/sys/fs/max-aio-nr to 128. Start a guest with an aio=native
disk and one in-use I/O thread.
Result: laio_init() returns NULL due to not being able to allocate
additional AIO contexts for the I/O thread. This NULL is assigned to
ctx->linux_aio and dereferenced in aio_get_linux_aio.
Thanks to Jon Snow, Eric Blake and Kevin Wolf for review comments on v1
and v2.
Nishanth Aravamudan (2):
linux-aio: properly bubble up errors from initialization
file-posix: reconfigure aio on iothread start
block/file-posix.c | 33 ++++++++++++++++++++++++++++-----
block/linux-aio.c | 15 ++++++++++-----
include/block/aio.h | 3 +++
include/block/raw-aio.h | 2 +-
stubs/linux-aio.c | 2 +-
util/async.c | 16 +++++++++++++---
6 files changed, 56 insertions(+), 15 deletions(-)
--
2.17.1
