diff mbox series

[3/7] block/nbd: Assert there are no timers when closed

Message ID 20220203163024.38913-4-hreitz@redhat.com (mailing list archive)
State New, archived
Headers show
Series block/nbd: Move s->ioc on AioContext change | expand

Commit Message

Hanna Czenczek Feb. 3, 2022, 4:30 p.m. UTC
Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or
they will access freed data when they fire.

This patch is separate from the patches that actually fix the issue
(HEAD^^ and HEAD^) so that you can run the associated regression iotest
(281) on a configuration that reproducibly exposes the bug.

Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
 block/nbd.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Vladimir Sementsov-Ogievskiy Feb. 4, 2022, 8:54 a.m. UTC | #1
03.02.2022 19:30, Hanna Reitz wrote:
> Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or
> they will access freed data when they fire.
> 
> This patch is separate from the patches that actually fix the issue
> (HEAD^^ and HEAD^) so that you can run the associated regression iotest
> (281) on a configuration that reproducibly exposes the bug.
> 
> Signed-off-by: Hanna Reitz<hreitz@redhat.com>

Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
diff mbox series

Patch

diff --git a/block/nbd.c b/block/nbd.c
index 5ff8a57314..dc6c3f3bbc 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -110,6 +110,10 @@  static void nbd_clear_bdrvstate(BlockDriverState *bs)
 
     yank_unregister_instance(BLOCKDEV_YANK_INSTANCE(bs->node_name));
 
+    /* Must not leave timers behind that would access freed data */
+    assert(!s->reconnect_delay_timer);
+    assert(!s->open_timer);
+
     object_unref(OBJECT(s->tlscreds));
     qapi_free_SocketAddress(s->saddr);
     s->saddr = NULL;