From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1M1VTP-0006XV-0G
	for qemu-devel@nongnu.org; Tue, 05 May 2009 20:58:59 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1M1VTK-0006Ws-Cn
	for qemu-devel@nongnu.org; Tue, 05 May 2009 20:58:58 -0400
Received: from [199.232.76.173] (port=54798 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1M1VTK-0006Wo-46
	for qemu-devel@nongnu.org; Tue, 05 May 2009 20:58:54 -0400
Received: from kassel160.server4you.de ([62.75.246.160]:55821 helo=csgraf.de)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <alex@csgraf.de>) id 1M1VTJ-0008VQ-Lr
	for qemu-devel@nongnu.org; Tue, 05 May 2009 20:58:53 -0400
From: alex@csgraf.de
Date: Wed,  6 May 2009 02:58:48 +0200
Message-Id: <1241571528-16154-1-git-send-email-alex@csgraf.de>
Subject: [Qemu-devel] [PATCH] AIO deletion race fix
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Alexander Graf <alex@csgraf.de>

From: Alexander Graf <alex@csgraf.de>

When deleting an fd event there is a chance the object doesn't get
deleted, but only ->deleted set positive and deleted somewhere later.

Now, if we create a handler for the fd again before the actual
deletion occurs, we end up writing data into an object that has
->deleted set, which is obviously wrong.

I see two ways to fix this:

1. Don't return ->deleted objects in the search
2. Unset ->deleted in the search

This patch implements 1. which feels safer to do. It fixes AIO issues
I've seen with curl, as libcurl unsets fd event listeners pretty
frequently.

Signed-off-by: Alexander Graf <alex@csgraf.de>
---
 aio.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/aio.c b/aio.c
index 200320c..11fbb6c 100644
--- a/aio.c
+++ b/aio.c
@@ -44,7 +44,8 @@ static AioHandler *find_aio_handler(int fd)
 
     LIST_FOREACH(node, &aio_handlers, node) {
         if (node->fd == fd)
-            return node;
+            if (!node->deleted)
+                return node;
     }
 
     return NULL;
-- 
1.6.0.2