From: Alexander Graf <alex@csgraf.de>
Date: Wed, 6 May 2009 00:58:48 +0000 (+0200)
Subject: AIO deletion race fix
X-Git-Tag: v0.10.4~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bd8199f708c41fd779e2b84a7bcc1b8cdb5b753;p=thirdparty%2Fqemu.git

AIO deletion race fix

When deleting an fd event there is a chance the object doesn't get
deleted, but only ->deleted set positive and deleted somewhere later.

Now, if we create a handler for the fd again before the actual
deletion occurs, we end up writing data into an object that has
->deleted set, which is obviously wrong.

I see two ways to fix this:

1. Don't return ->deleted objects in the search
2. Unset ->deleted in the search

This patch implements 1. which feels safer to do. It fixes AIO issues
I've seen with curl, as libcurl unsets fd event listeners pretty
frequently.

Signed-off-by: Alexander Graf <alex@csgraf.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---

diff --git a/aio.c b/aio.c
index 200320c9794..11fbb6c0c53 100644
--- a/aio.c
+++ b/aio.c
@@ -44,7 +44,8 @@ static AioHandler *find_aio_handler(int fd)
 
     LIST_FOREACH(node, &aio_handlers, node) {
         if (node->fd == fd)
-            return node;
+            if (!node->deleted)
+                return node;
     }
 
     return NULL;