432cb7
From d5a85fcf996948d1154e88e9ee3b4e8c64ec2694 Mon Sep 17 00:00:00 2001
432cb7
From: Hanna Reitz <hreitz@redhat.com>
432cb7
Date: Fri, 4 Feb 2022 12:10:08 +0100
432cb7
Subject: [PATCH 2/6] block/nbd: Assert there are no timers when closed
432cb7
432cb7
RH-Author: Hanna Reitz <hreitz@redhat.com>
432cb7
RH-MergeRequest: 117: block/nbd: Handle AioContext changes
432cb7
RH-Commit: [2/6] 995795ae9844a7d2b28cb1e57fd7fe81482d0205
432cb7
RH-Bugzilla: 2035185
432cb7
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
432cb7
RH-Acked-by: Eric Blake <eblake@redhat.com>
432cb7
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
432cb7
432cb7
Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or
432cb7
they will access freed data when they fire.
432cb7
432cb7
This patch is separate from the patches that actually fix the issue
432cb7
(HEAD^^ and HEAD^) so that you can run the associated regression iotest
432cb7
(281) on a configuration that reproducibly exposes the bug.
432cb7
432cb7
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
432cb7
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
432cb7
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
432cb7
(cherry picked from commit 8a39c381e5e407d2fe5500324323f90a8540fa90)
432cb7
432cb7
Conflict:
432cb7
- block/nbd.c: open_timer was introduced after the 6.2 release (for
432cb7
  nbd's @open-timeout parameter), and has not been backported, so drop
432cb7
  the assertion that it is NULL
432cb7
432cb7
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
432cb7
---
432cb7
 block/nbd.c | 3 +++
432cb7
 1 file changed, 3 insertions(+)
432cb7
432cb7
diff --git a/block/nbd.c b/block/nbd.c
432cb7
index b8e5a9b4cc..aab20125d8 100644
432cb7
--- a/block/nbd.c
432cb7
+++ b/block/nbd.c
432cb7
@@ -108,6 +108,9 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs)
432cb7
 
432cb7
     yank_unregister_instance(BLOCKDEV_YANK_INSTANCE(bs->node_name));
432cb7
 
432cb7
+    /* Must not leave timers behind that would access freed data */
432cb7
+    assert(!s->reconnect_delay_timer);
432cb7
+
432cb7
     object_unref(OBJECT(s->tlscreds));
432cb7
     qapi_free_SocketAddress(s->saddr);
432cb7
     s->saddr = NULL;
432cb7
-- 
432cb7
2.27.0
432cb7