--- /dev/null
+From 4535f739edfdea392e381811963823bf05649e42 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 3 Jun 2014 11:21:01 +0200
+Subject: [PATCH] aio: fix qemu_bh_schedule() bh->ctx race condition
+
+qemu_bh_schedule() is supposed to be thread-safe at least the first time
+it is called. Unfortunately this is not quite true:
+
+ bh->scheduled = 1;
+ aio_notify(bh->ctx);
+
+Since another thread may run the BH callback once it has been scheduled,
+there is a race condition if the callback frees the BH before
+aio_notify(bh->ctx) has a chance to run.
+
+Reported-by: Stefan Priebe <s.priebe@profihost.ag>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Stefan Priebe <s.priebe@profihost.ag>
+---
+ async.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/async.c b/async.c
+index 6930185..5b6fe6b 100644
+--- a/async.c
++++ b/async.c
+@@ -117,15 +117,21 @@ void qemu_bh_schedule_idle(QEMUBH *bh)
+
+ void qemu_bh_schedule(QEMUBH *bh)
+ {
++ AioContext *ctx;
++
+ if (bh->scheduled)
+ return;
++ ctx = bh->ctx;
+ bh->idle = 0;
+- /* Make sure that idle & any writes needed by the callback are done
+- * before the locations are read in the aio_bh_poll.
++ /* Make sure that:
++ * 1. idle & any writes needed by the callback are done before the
++ * locations are read in the aio_bh_poll.
++ * 2. ctx is loaded before scheduled is set and the callback has a chance
++ * to execute.
+ */
+- smp_wmb();
++ smp_mb();
+ bh->scheduled = 1;
+- aio_notify(bh->ctx);
++ aio_notify(ctx);
+ }
+
+
+--
+1.7.10.4
+
projects / pve-qemu-kvm.git / commitdiff