* [PATCH] block/nbd: Fix crash when cancelling drive mirror
@ 2020-12-30 12:15 Peng Liang
0 siblings, 0 replies; only message in thread
From: Peng Liang @ 2020-12-30 12:15 UTC (permalink / raw)
To: eblake, kwolf, mreitz
Cc: xiexiangyou, liangpeng10, qemu-devel, qemu-block, zhang.zhanghailiang
During drive mirror, if the target VM exits abnormally (e.g. killed),
the nbd client (source VM) will receive EOF, finalize the previous
connection (set s->ioc to NULL), and start the reconnect process. After
that, if the source VM tries to cancel the drive mirror, it could
receive signal SIGSEGV like this:
#0 0x0000559015b1e196 in qio_channel_detach_aio_context (ioc=0x0) at ../io/channel.c:452
#1 0x0000559015a9ffc0 in nbd_client_detach_aio_context (bs=0x559016fdce50) at ../block/nbd.c:237
#2 0x0000559015a7ed9e in bdrv_detach_aio_context (bs=0x559016fdce50) at ../block.c:6420
#3 0x0000559015a7f095 in bdrv_set_aio_context_ignore (bs=0x559016fdce50, new_context=0x5590162d5d20, ignore=0x7ffe4cf8ec10) at ../block.c:6499
#4 0x0000559015a7efbd in bdrv_set_aio_context_ignore (bs=0x559016fe1100, new_context=0x5590162d5d20, ignore=0x7ffe4cf8ec10) at ../block.c:6488
#5 0x0000559015a7f445 in bdrv_child_try_set_aio_context (bs=0x559016fe1100, ctx=0x5590162d5d20, ignore_child=0x0, errp=0x0) at ../block.c:6603
#6 0x0000559015a7f49c in bdrv_try_set_aio_context (bs=0x559016fe1100, ctx=0x5590162d5d20, errp=0x0) at ../block.c:6612
#7 0x0000559015a76c0d in bdrv_replace_child (child=0x559016ea8a90, new_bs=0x0) at ../block.c:2664
#8 0x0000559015a77094 in bdrv_detach_child (child=0x559016ea8a90) at ../block.c:2783
#9 0x0000559015a770d6 in bdrv_root_unref_child (child=0x559016ea8a90) at ../block.c:2795
#10 0x0000559015a82784 in block_job_remove_all_bdrv (job=0x5590169cd7e0) at ../blockjob.c:191
#11 0x0000559015aafc56 in mirror_exit_common (job=0x5590169cd7e0) at ../block/mirror.c:745
#12 0x0000559015aafd66 in mirror_abort (job=0x5590169cd7e0) at ../block/mirror.c:773
#13 0x0000559015a5c8c3 in job_abort (job=0x5590169cd7e0) at ../job.c:670
#14 0x0000559015a5c967 in job_finalize_single (job=0x5590169cd7e0) at ../job.c:691
#15 0x0000559015a5cbf0 in job_completed_txn_abort (job=0x5590169cd7e0) at ../job.c:769
#16 0x0000559015a5cf4b in job_completed (job=0x5590169cd7e0) at ../job.c:863
#17 0x0000559015a5cfac in job_exit (opaque=0x5590169cd7e0) at ../job.c:885
#18 0x0000559015bc0bd8 in aio_bh_call (bh=0x7f7b2c007840) at ../util/async.c:136
#19 0x0000559015bc0ce2 in aio_bh_poll (ctx=0x5590162d5d20) at ../util/async.c:164
#20 0x0000559015bcf644 in aio_dispatch (ctx=0x5590162d5d20) at ../util/aio-posix.c:381
#21 0x0000559015bc111f in aio_ctx_dispatch (source=0x5590162d5d20, callback=0x0, user_data=0x0) at ../util/async.c:306
#22 0x00007f7b3a2b6b34 in g_main_context_dispatch () at /usr/lib64/libglib-2.0.so.0
#23 0x0000559015be32a4 in glib_pollfds_poll () at ../util/main-loop.c:221
#24 0x0000559015be331e in os_host_main_loop_wait (timeout=31000000) at ../util/main-loop.c:244
#25 0x0000559015be3426 in main_loop_wait (nonblocking=0) at ../util/main-loop.c:520
#26 0x0000559015914a43 in qemu_main_loop () at ../softmmu/runstate.c:720
#27 0x000055901556fe17 in main (argc=94, argv=0x7ffe4cf8f1e8, envp=0x7ffe4cf8f4e0) at ../softmmu/main.c:50
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
---
block/nbd.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/block/nbd.c b/block/nbd.c
index 42536702b6f9..b22a9ecbbcd0 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -232,9 +232,11 @@ static void nbd_client_detach_aio_context(BlockDriverState *bs)
{
BDRVNBDState *s = (BDRVNBDState *)bs->opaque;
- /* Timer is deleted in nbd_client_co_drain_begin() */
- assert(!s->reconnect_delay_timer);
- qio_channel_detach_aio_context(QIO_CHANNEL(s->ioc));
+ if (s->state == NBD_CLIENT_CONNECTED) {
+ /* Timer is deleted in nbd_client_co_drain_begin() */
+ assert(!s->reconnect_delay_timer);
+ qio_channel_detach_aio_context(QIO_CHANNEL(s->ioc));
+ }
}
static void nbd_client_attach_aio_context_bh(void *opaque)
--
2.29.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-12-30 12:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-30 12:15 [PATCH] block/nbd: Fix crash when cancelling drive mirror Peng Liang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).