From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=36675 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PheLe-0004d5-Sk
	for qemu-devel@nongnu.org; Tue, 25 Jan 2011 03:34:19 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <corentin.chary@gmail.com>) id 1PheLJ-0001fT-0M
	for qemu-devel@nongnu.org; Tue, 25 Jan 2011 03:33:58 -0500
Received: from smtp1.tech.numericable.fr ([82.216.111.37]:40306)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <corentin.chary@gmail.com>) id 1PheLI-0001fD-NH
	for qemu-devel@nongnu.org; Tue, 25 Jan 2011 03:33:36 -0500
From: Corentin Chary <corentin.chary@gmail.com>
Date: Tue, 25 Jan 2011 09:33:26 +0100
Message-Id: <1295944407-19680-2-git-send-email-corentin.chary@gmail.com>
In-Reply-To: <1295902845-29807-3-git-send-email-aliguori@us.ibm.com>
References: <1295902845-29807-3-git-send-email-aliguori@us.ibm.com>
Subject: [Qemu-devel] [PATCH 1/2] vl.c: set NULL upon deleting handlers in
	qemu_set_fd_handler2()
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: qemu-devel@nongnu.org, Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>

From: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>

Currently qemu_set_fd_handler2() is only setting ioh->deleted upon
deleting.  This may cause a crash when a read handler calls
qemu_set_fd_handler2() to delete handlers, but a write handler is
still invoked from main_loop_wait().  Because main_loop_wait() checks
handlers before calling, setting NULL upon deleting will protect
handlers being called if already deleted.

One example is the new threaded vnc server.  When an error occurs in
the context of a read handler, it'll releases resources and deletes
handlers.  However, because the write handler still exists, it'll be
called, and then crashes because of lack of resources.  This patch
fixes it.

Signed-off-by: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>
Reviewed-by: Corentin Chary <corentincj@iksaif.net>
---
 vl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/vl.c b/vl.c
index 14255c4..7a26bea 100644
--- a/vl.c
+++ b/vl.c
@@ -1037,6 +1037,8 @@ int qemu_set_fd_handler2(int fd,
         QLIST_FOREACH(ioh, &io_handlers, next) {
             if (ioh->fd == fd) {
                 ioh->deleted = 1;
+                ioh->fd_read = NULL;
+                ioh->fd_write = NULL;
                 break;
             }
         }
-- 
1.7.3.4