diff options
author | Remy Noel <remy.noel@blade-group.com> | 2018-12-20 16:20:30 +0100 |
---|---|---|
committer | Stefan Hajnoczi <stefanha@redhat.com> | 2019-01-14 14:09:41 +0000 |
commit | fef1660132b0f25bf2d275d7f986ddcfe19a4426 (patch) | |
tree | 3aa14f19cea3740b70df72d1751d5b50200711d2 /util/aio-win32.c | |
parent | 8821b34a7362d69b325c045dad4557782775683b (diff) | |
download | qemu-fef1660132b0f25bf2d275d7f986ddcfe19a4426.zip qemu-fef1660132b0f25bf2d275d7f986ddcfe19a4426.tar.gz qemu-fef1660132b0f25bf2d275d7f986ddcfe19a4426.tar.bz2 |
aio-posix: Fix concurrent aio_poll/set_fd_handler.
It is possible for an io_poll callback to be concurrently executed along
with an aio_set_fd_handlers. This can cause all sorts of problems, like
a NULL callback or a bad opaque pointer.
This changes set_fd_handlers so that it no longer modify existing handlers
entries and instead, always insert those after having proper initialisation.
Tested-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Remy Noel <remy.noel@blade-group.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20181220152030.28035-3-remy.noel@blade-group.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'util/aio-win32.c')
-rw-r--r-- | util/aio-win32.c | 67 |
1 files changed, 29 insertions, 38 deletions
diff --git a/util/aio-win32.c b/util/aio-win32.c index c58957c..a23b9c3 100644 --- a/util/aio-win32.c +++ b/util/aio-win32.c @@ -35,6 +35,22 @@ struct AioHandler { QLIST_ENTRY(AioHandler) node; }; +static void aio_remove_fd_handler(AioContext *ctx, AioHandler *node) +{ + /* If aio_poll is in progress, just mark the node as deleted */ + if (qemu_lockcnt_count(&ctx->list_lock)) { + node->deleted = 1; + node->pfd.revents = 0; + } else { + /* Otherwise, delete it for real. We can't just mark it as + * deleted because deleted nodes are only cleaned up after + * releasing the list_lock. + */ + QLIST_REMOVE(node, node); + g_free(node); + } +} + void aio_set_fd_handler(AioContext *ctx, int fd, bool is_external, @@ -44,41 +60,23 @@ void aio_set_fd_handler(AioContext *ctx, void *opaque) { /* fd is a SOCKET in our case */ - AioHandler *node; + AioHandler *old_node; + AioHandler *node = NULL; qemu_lockcnt_lock(&ctx->list_lock); - QLIST_FOREACH(node, &ctx->aio_handlers, node) { - if (node->pfd.fd == fd && !node->deleted) { + QLIST_FOREACH(old_node, &ctx->aio_handlers, node) { + if (old_node->pfd.fd == fd && !old_node->deleted) { break; } } - /* Are we deleting the fd handler? */ - if (!io_read && !io_write) { - if (node) { - /* If aio_poll is in progress, just mark the node as deleted */ - if (qemu_lockcnt_count(&ctx->list_lock)) { - node->deleted = 1; - node->pfd.revents = 0; - } else { - /* Otherwise, delete it for real. We can't just mark it as - * deleted because deleted nodes are only cleaned up after - * releasing the list_lock. - */ - QLIST_REMOVE(node, node); - g_free(node); - } - } - } else { + if (io_read || io_write) { HANDLE event; long bitmask = 0; - if (node == NULL) { - /* Alloc and insert if it's not already there */ - node = g_new0(AioHandler, 1); - node->pfd.fd = fd; - QLIST_INSERT_HEAD_RCU(&ctx->aio_handlers, node, node); - } + /* Alloc and insert if it's not already there */ + node = g_new0(AioHandler, 1); + node->pfd.fd = fd; node->pfd.events = 0; if (node->io_read) { @@ -104,9 +102,13 @@ void aio_set_fd_handler(AioContext *ctx, bitmask |= FD_WRITE | FD_CONNECT; } + QLIST_INSERT_HEAD_RCU(&ctx->aio_handlers, node, node); event = event_notifier_get_handle(&ctx->notifier); WSAEventSelect(node->pfd.fd, event, bitmask); } + if (old_node) { + aio_remove_fd_handler(ctx, old_node); + } qemu_lockcnt_unlock(&ctx->list_lock); aio_notify(ctx); @@ -139,18 +141,7 @@ void aio_set_event_notifier(AioContext *ctx, if (node) { g_source_remove_poll(&ctx->source, &node->pfd); - /* aio_poll is in progress, just mark the node as deleted */ - if (qemu_lockcnt_count(&ctx->list_lock)) { - node->deleted = 1; - node->pfd.revents = 0; - } else { - /* Otherwise, delete it for real. We can't just mark it as - * deleted because deleted nodes are only cleaned up after - * releasing the list_lock. - */ - QLIST_REMOVE(node, node); - g_free(node); - } + aio_remove_fd_handler(ctx, node); } } else { if (node == NULL) { |