File 0354-9pfs-only-free-completed-request-if.patch of Package qemu.6354
From 8f461c318a0d5eb5d4b8a05a5d4ad2cc7441e461 Mon Sep 17 00:00:00 2001
From: Greg Kurz <groug@kaod.org>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: only free completed request if not flushed
If a PDU has a flush request pending, the current code calls pdu_free()
twice:
1) pdu_complete()->pdu_free() with pdu->cancelled set, which does nothing
2) v9fs_flush()->pdu_free() with pdu->cancelled cleared, which moves the
PDU back to the free list.
This works but it complexifies the logic of pdu_free().
With this patch, pdu_complete() only calls pdu_free() if no flush request
is pending, i.e. qemu_co_queue_next() returns false.
Since pdu_free() is now supposed to be called with pdu->cancelled cleared,
the check in pdu_free() is dropped and replaced by an assertion.
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit f74e27bf0f07425aba6cb812aa7f5aa98bb68542)
[BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 882994c21c..46dd54db7c 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -607,14 +607,10 @@ V9fsPDU *pdu_alloc(V9fsState *s)
void pdu_free(V9fsPDU *pdu)
{
V9fsState *s = pdu->s;
- /*
- * Cancelled pdu are added back to the freelist
- * by flush request .
- */
- if (!pdu->cancelled) {
- QLIST_REMOVE(pdu, next);
- QLIST_INSERT_HEAD(&s->free_list, pdu, next);
- }
+
+ g_assert(!pdu->cancelled);
+ QLIST_REMOVE(pdu, next);
+ QLIST_INSERT_HEAD(&s->free_list, pdu, next);
}
/*
@@ -659,9 +655,9 @@ static void pdu_complete(V9fsPDU *pdu, ssize_t len)
pdu_push_and_notify(pdu);
/* Now wakeup anybody waiting in flush for this request */
- qemu_co_queue_next(&pdu->complete);
-
- pdu_free(pdu);
+ if (!qemu_co_queue_next(&pdu->complete)) {
+ pdu_free(pdu);
+ }
}
static mode_t v9mode_to_mode(uint32_t mode, V9fsString *extension)
