On Wed, Mar 16, 2016 at 06:10:18PM +0800, Fam Zheng wrote: > + data = g_new(VirtIOBlockStartData, 1); > + data->vblk = vblk; > + data->bh = aio_bh_new(s->ctx, virtio_blk_data_plane_start_bh_cb, data); > + qemu_bh_schedule(data->bh); > + qemu_mutex_unlock(&s->start_stop_lock); > return;
This BH usage pattern is dangerous: 1. The BH is created and scheduled. 2. Before the BH executes the device is unrealized. 3. The data->bh pointer is inaccessible so we have a dangling BH that will access vblk after vblk has been freed. In some cases it can be safe but I don't see why the pattern is safe in this case. Either the BH needs to hold some sort of reference to keep vblk alive, or vblk needs to know about pending BHs so they can be deleted.
signature.asc
Description: PGP signature
