diff options
author | Fam Zheng <famz@redhat.com> | 2015-03-16 17:03:37 +0800 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2015-04-27 18:24:18 +0200 |
commit | e95205e1f9cd2c4262b7a7b1c992a94512c86d0e (patch) | |
tree | 1c03e53eeb46e2d7c15b9c15a1f1c9414e254e6e /include/exec | |
parent | 33b6c2edf6214f02b9beaea61b169506c01f90aa (diff) | |
download | qemu-e95205e1f9cd2c4262b7a7b1c992a94512c86d0e.zip qemu-e95205e1f9cd2c4262b7a7b1c992a94512c86d0e.tar.gz qemu-e95205e1f9cd2c4262b7a7b1c992a94512c86d0e.tar.bz2 |
dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel
If DMA's owning thread cancels the IO while the bounce buffer's owning thread
is notifying the "cpu client list", a use-after-free happens:
continue_after_map_failure dma_aio_cancel
------------------------------------------------------------------
aio_bh_new
qemu_bh_delete
qemu_bh_schedule (use after free)
Also, the old code doesn't run the bh in the right AioContext.
Fix both problems by passing a QEMUBH to cpu_register_map_client.
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1426496617-10702-6-git-send-email-famz@redhat.com>
[Remove unnecessary forward declaration. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'include/exec')
-rw-r--r-- | include/exec/cpu-common.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h index fcc3162..43428bd 100644 --- a/include/exec/cpu-common.h +++ b/include/exec/cpu-common.h @@ -82,7 +82,8 @@ void *cpu_physical_memory_map(hwaddr addr, int is_write); void cpu_physical_memory_unmap(void *buffer, hwaddr len, int is_write, hwaddr access_len); -void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque)); +void cpu_register_map_client(QEMUBH *bh); +void cpu_unregister_map_client(QEMUBH *bh); bool cpu_physical_memory_is_io(hwaddr phys_addr); |