[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB
From: |
Michael Roth |
Subject: |
[PATCH 04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB |
Date: |
Tue, 19 Oct 2021 09:08:44 -0500 |
From: Stefan Reiter <s.reiter@proxmox.com>
The QMP dispatcher coroutine holds the qmp_queue_lock over a yield
point, where it expects to be rescheduled from the main context. If a
CHR_EVENT_CLOSED event is received just then, it can race and block the
main thread on the mutex in monitor_qmp_cleanup_queue_and_resume.
monitor_resume does not need to be called from main context, so we can
call it immediately after popping a request from the queue, which allows
us to drop the qmp_queue_lock mutex before yielding.
Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Message-Id: <20210322154024.15011-1-s.reiter@proxmox.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit a67b996e7894edfafbcd3fd007c9f58f26d25908)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
monitor/qmp.c | 40 ++++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 18 deletions(-)
diff --git a/monitor/qmp.c b/monitor/qmp.c
index 2b0308f933..092c527b6f 100644
--- a/monitor/qmp.c
+++ b/monitor/qmp.c
@@ -257,24 +257,6 @@ void coroutine_fn monitor_qmp_dispatcher_co(void *data)
trace_monitor_qmp_in_band_dequeue(req_obj,
req_obj->mon->qmp_requests->length);
- if (qatomic_xchg(&qmp_dispatcher_co_busy, true) == true) {
- /*
- * Someone rescheduled us (probably because a new requests
- * came in), but we didn't actually yield. Do that now,
- * only to be immediately reentered and removed from the
- * list of scheduled coroutines.
- */
- qemu_coroutine_yield();
- }
-
- /*
- * Move the coroutine from iohandler_ctx to qemu_aio_context for
- * executing the command handler so that it can make progress if it
- * involves an AIO_WAIT_WHILE().
- */
- aio_co_schedule(qemu_get_aio_context(), qmp_dispatcher_co);
- qemu_coroutine_yield();
-
/*
* @req_obj has a request, we hold req_obj->mon->qmp_queue_lock
*/
@@ -298,8 +280,30 @@ void coroutine_fn monitor_qmp_dispatcher_co(void *data)
monitor_resume(&mon->common);
}
+ /*
+ * Drop the queue mutex now, before yielding, otherwise we might
+ * deadlock if the main thread tries to lock it.
+ */
qemu_mutex_unlock(&mon->qmp_queue_lock);
+ if (qatomic_xchg(&qmp_dispatcher_co_busy, true) == true) {
+ /*
+ * Someone rescheduled us (probably because a new requests
+ * came in), but we didn't actually yield. Do that now,
+ * only to be immediately reentered and removed from the
+ * list of scheduled coroutines.
+ */
+ qemu_coroutine_yield();
+ }
+
+ /*
+ * Move the coroutine from iohandler_ctx to qemu_aio_context for
+ * executing the command handler so that it can make progress if it
+ * involves an AIO_WAIT_WHILE().
+ */
+ aio_co_schedule(qemu_get_aio_context(), qmp_dispatcher_co);
+ qemu_coroutine_yield();
+
/* Process request */
if (req_obj->req) {
if (trace_event_get_state(TRACE_MONITOR_QMP_CMD_IN_BAND)) {
--
2.25.1
- [PATCH 41/64] hw/nvme: fix pin-based interrupt behavior (again), (continued)
- [PATCH 41/64] hw/nvme: fix pin-based interrupt behavior (again), Michael Roth, 2021/10/19
- [PATCH 42/64] virtio-balloon: don't start free page hinting if postcopy is possible, Michael Roth, 2021/10/19
- [PATCH 43/64] hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of std CAN 8 bytes, Michael Roth, 2021/10/19
- [PATCH 44/64] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT, Michael Roth, 2021/10/19
- [PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30, Michael Roth, 2021/10/19
- [PATCH 46/64] audio: Never send migration section, Michael Roth, 2021/10/19
- [PATCH 47/64] target/arm: Don't skip M-profile reset entirely in user mode, Michael Roth, 2021/10/19
- [PATCH 48/64] virtio-net: fix use after unmap/free for sg, Michael Roth, 2021/10/19
- [PATCH 49/64] qemu-nbd: Change default cache mode to writeback, Michael Roth, 2021/10/19
- [PATCH 50/64] hmp: Unbreak "change vnc", Michael Roth, 2021/10/19
- [PATCH 04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB,
Michael Roth <=
- [PATCH 51/64] virtio-mem-pci: Fix memory leak when creating MEMORY_DEVICE_SIZE_CHANGE event, Michael Roth, 2021/10/19
- [PATCH 52/64] uas: add stream number sanity checks., Michael Roth, 2021/10/19
- [PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Michael Roth, 2021/10/19
- [PATCH 54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527), Michael Roth, 2021/10/19
- [PATCH 55/64] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545), Michael Roth, 2021/10/19
- [PATCH 56/64] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 57/64] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 58/64] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 59/64] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 60/64] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544), Michael Roth, 2021/10/19