From: Stefan Priebe <s.priebe@profihost.ag>
Date: Thu, 5 Jun 2014 06:19:43 +0000 (+0200)
Subject: fix another aio bug 0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
X-Git-Url: https://git.proxmox.com/?p=pve-qemu-kvm.git;a=commitdiff_plain;h=8632395da0d7dc4c3fb4ecebabeadf81609ccaa9

fix another aio bug 0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch

Signed-off-by: Stefan Priebe <s.priebe@profihost.ag>
---

diff --git a/debian/patches/0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch b/debian/patches/0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
new file mode 100644
index 0000000..a01765b
--- /dev/null
+++ b/debian/patches/0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
@@ -0,0 +1,55 @@
+From 4535f739edfdea392e381811963823bf05649e42 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 3 Jun 2014 11:21:01 +0200
+Subject: [PATCH] aio: fix qemu_bh_schedule() bh->ctx race condition
+
+qemu_bh_schedule() is supposed to be thread-safe at least the first time
+it is called.  Unfortunately this is not quite true:
+
+  bh->scheduled = 1;
+  aio_notify(bh->ctx);
+
+Since another thread may run the BH callback once it has been scheduled,
+there is a race condition if the callback frees the BH before
+aio_notify(bh->ctx) has a chance to run.
+
+Reported-by: Stefan Priebe <s.priebe@profihost.ag>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Stefan Priebe <s.priebe@profihost.ag>
+---
+ async.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/async.c b/async.c
+index 6930185..5b6fe6b 100644
+--- a/async.c
++++ b/async.c
+@@ -117,15 +117,21 @@ void qemu_bh_schedule_idle(QEMUBH *bh)
+ 
+ void qemu_bh_schedule(QEMUBH *bh)
+ {
++    AioContext *ctx;
++
+     if (bh->scheduled)
+         return;
++    ctx = bh->ctx;
+     bh->idle = 0;
+-    /* Make sure that idle & any writes needed by the callback are done
+-     * before the locations are read in the aio_bh_poll.
++    /* Make sure that:
++     * 1. idle & any writes needed by the callback are done before the
++     *    locations are read in the aio_bh_poll.
++     * 2. ctx is loaded before scheduled is set and the callback has a chance
++     *    to execute.
+      */
+-    smp_wmb();
++    smp_mb();
+     bh->scheduled = 1;
+-    aio_notify(bh->ctx);
++    aio_notify(ctx);
+ }
+ 
+ 
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 3dc1c11..926211a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ internal-snapshot-async.patch
 disable-efi-enable-pxe-roms.patch
 backup-vma-allow-empty-backups.patch
 0001-aio-Fix-use-after-free-in-cancellation-path.patch
+0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch