Hi, even with +From 271c0f68b4eae72691721243a1c37f46a3232d61 Mon Sep 17 00:00:00 2001 +From: Fam Zheng <f...@redhat.com> +Date: Wed, 21 May 2014 10:42:13 +0800 +Subject: [PATCH] aio: Fix use-after-free in cancellation path
applied i saw today segfault with the following backtrace: Program terminated with signal 11, Segmentation fault. #0 0x00007f9dd633343f in event_notifier_set (e=0x124) at util/event_notifier-posix.c:97 97 util/event_notifier-posix.c: No such file or directory. (gdb) bt #0 0x00007f9dd633343f in event_notifier_set (e=0x124) at util/event_notifier-posix.c:97 #1 0x00007f9dd5f4eafc in aio_notify (ctx=0x0) at async.c:246 #2 0x00007f9dd5f4e697 in qemu_bh_schedule (bh=0x7f9b98eeeb30) at async.c:128 #3 0x00007f9dd5fa2c44 in rbd_finish_aiocb (c=0x7f9dd9069ad0, rcb=0x7f9dd85f1770) at block/rbd.c:585 #4 0x00007f9dd38d5e44 in librbd::AioCompletion::complete() () from /usr/lib/librbd.so.1 #5 0x00007f9dd38d5832 in librbd::AioCompletion::complete_request(CephContext*, long) () from /usr/lib/librbd.so.1 #6 0x00007f9dd3dab6ba in Context::complete(int) () from /usr/lib/librados.so.2 #7 0x00007f9dd3908e85 in ObjectCacher::C_WaitForWrite::finish(int) () from /usr/lib/librbd.so.1 #8 0x00007f9dd3dab6ba in Context::complete(int) () from /usr/lib/librados.so.2 #9 0x00007f9dd3e4e3c8 in Finisher::finisher_thread_entry() () from /usr/lib/librados.so.2 #10 0x00007f9dcde5ab50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #11 0x00007f9dcdba513d in clone () from /lib/x86_64-linux-gnu/libc.so.6 #12 0x0000000000000000 in ?? () Am 28.05.2014 21:44, schrieb Stefan Priebe: > is this: > commit 271c0f68b4eae72691721243a1c37f46a3232d61 > Author: Fam Zheng <f...@redhat.com> > Date: Wed May 21 10:42:13 2014 +0800 > > aio: Fix use-after-free in cancellation path > > Stefan > > Am 28.05.2014 21:40, schrieb Stefan Priebe: >> Hello, >> >> i mean since using qemu 2.0 i've now seen several times the following >> segfault: >> (gdb) bt >> #0 0x00007f2af1196433 in event_notifier_set (e=0x124) at >> util/event_notifier-posix.c:97 >> #1 0x00007f2af0db1afc in aio_notify (ctx=0x0) at async.c:246 >> #2 0x00007f2af0db1697 in qemu_bh_schedule (bh=0x7f2ad401bec0) at >> async.c:128 >> #3 0x00007f2af0e05c44 in rbd_finish_aiocb (c=0x7f2ad5ec4590, >> rcb=0x7f2ad63c5df0) at block/rbd.c:585 >> #4 0x00007f2aee738e44 in librbd::AioCompletion::complete() () from >> /usr/lib/librbd.so.1 >> #5 0x00007f2aee738832 in >> librbd::AioCompletion::complete_request(CephContext*, long) () from >> /usr/lib/librbd.so.1 >> #6 0x00007f2aeec0e6ba in Context::complete(int) () from >> /usr/lib/librados.so.2 >> #7 0x00007f2aee76be85 in ObjectCacher::C_WaitForWrite::finish(int) () >> from /usr/lib/librbd.so.1 >> #8 0x00007f2aeec0e6ba in Context::complete(int) () from >> /usr/lib/librados.so.2 >> #9 0x00007f2aeecb13c8 in Finisher::finisher_thread_entry() () from >> /usr/lib/librados.so.2 >> #10 0x00007f2ae8cbdb50 in start_thread () from >> /lib/x86_64-linux-gnu/libpthread.so.0 >> #11 0x00007f2ae8a080ed in clone () from /lib/x86_64-linux-gnu/libc.so.6 >> #12 0x0000000000000000 in ?? () >> (gdb) >> >> >> from another VM: >> #0 0x00007f89565ec433 in event_notifier_set (e=0x124) at >> util/event_notifier-posix.c:97 >> #1 0x00007f8956207afc in aio_notify (ctx=0x0) at async.c:246 >> #2 0x00007f8956207697 in qemu_bh_schedule (bh=0x7f882dd6d340) at >> async.c:128 >> #3 0x00007f895625bc44 in rbd_finish_aiocb (c=0x7f882d4c34a0, >> rcb=0x7f882c0ae350) at block/rbd.c:585 >> #4 0x00007f8953b8ee44 in librbd::AioCompletion::complete() () from >> /usr/lib/librbd.so.1 >> #5 0x00007f8953b8e832 in >> librbd::AioCompletion::complete_request(CephContext*, long) () from >> /usr/lib/librbd.so.1 >> #6 0x00007f89540646ba in Context::complete(int) () from >> /usr/lib/librados.so.2 >> #7 0x00007f8953bc1e85 in ObjectCacher::C_WaitForWrite::finish(int) () >> from /usr/lib/librbd.so.1 >> #8 0x00007f89540646ba in Context::complete(int) () from >> /usr/lib/librados.so.2 >> #9 0x00007f89541073c8 in Finisher::finisher_thread_entry() () from >> /usr/lib/librados.so.2 >> #10 0x00007f894e113b50 in start_thread () from >> /lib/x86_64-linux-gnu/libpthread.so.0 >> #11 0x00007f894de5e0ed in clone () from /lib/x86_64-linux-gnu/libc.so.6 >> #12 0x0000000000000000 in ?? () >> >> Stefan >>