|
From: | Paolo Bonzini |
Subject: | Re: [Qemu-devel] [PATCH] ide: fix double free |
Date: | Wed, 02 Jul 2014 15:09:37 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 |
Il 02/07/2014 14:54, 陈梁 ha scritto:
> The second call should have happened within dma_aio_cancel's call to > bdrv_aio_cancel. This is the real bug.IMO, the second need not happened within dma_aio_cancel's call to bdrv_aio_cancel. The double free will be happened if dam_aio_cancel is called.
The callback must not be invoked after bdrv_aio_cancel. This is the fundamental invariant of bdrv_aio_cancel. All implementations of AIOCB must respect it, or bugs like this one happen.
Here, either bdrv_aio_cancel was not invoked, or the invariant was broken.The other invariant, this time in dma-helpers.c, is that dma_bdrv_cb either exits with no pending AIOCB, or it exits with a non-NULL dbs->acb. If bdrv_aio_cancel was not invoked, this invariant was broken because there is a pending AIOCB but it is not in dbs->acb.
Paolo
[Prev in Thread] | Current Thread | [Next in Thread] |