Commit 924fe129 authored Jun 03, 2014 by Stefan Hajnoczi

aio: fix qemu_bh_schedule() bh->ctx race condition



qemu_bh_schedule() is supposed to be thread-safe at least the first time
it is called.  Unfortunately this is not quite true:

  bh->scheduled = 1;
  aio_notify(bh->ctx);

Since another thread may run the BH callback once it has been scheduled,
there is a race condition if the callback frees the BH before
aio_notify(bh->ctx) has a chance to run.

Reported-by: Stefan Priebe <s.priebe@profihost.ag>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Stefan Priebe <s.priebe@profihost.ag>

parent e00fcfea

async.c

+10 −4

Original line number	Diff line number	Diff line
		@@ -117,15 +117,21 @@ void qemu_bh_schedule_idle(QEMUBH *bh)

		void qemu_bh_schedule(QEMUBH *bh)
		{
		AioContext *ctx;

		if (bh->scheduled)
		return;
		ctx = bh->ctx;
		bh->idle = 0;
		/* Make sure that idle & any writes needed by the callback are done
		* before the locations are read in the aio_bh_poll.
		/* Make sure that:
		* 1. idle & any writes needed by the callback are done before the
		* locations are read in the aio_bh_poll.
		* 2. ctx is loaded before scheduled is set and the callback has a chance
		* to execute.
		*/
		smp_wmb();
		smp_mb();
		bh->scheduled = 1;
		aio_notify(bh->ctx);
		aio_notify(ctx);
		}