| Message ID | 1282524923-2368-1-git-send-email-tamura.yoshiaki@lab.ntt.co.jp |
|---|---|
| State | New |
| Headers | show |
On Mon, Aug 23, 2010 at 2:55 AM, Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp> wrote: > Currently qemu_set_fd_handler2() is only setting ioh->deleted upon > deleting. This may cause a crash when a read handler calls > qemu_set_fd_handler2() to delete handlers, but a write handler is > still invoked from main_loop_wait(). Because main_loop_wait() checks > handlers before calling, setting NULL upon deleting will protect > handlers being called if already deleted. > > One example is the new threaded vnc server. When an error occurs in > the context of a read handler, it'll releases resources and deletes > handlers. However, because the write handler still exists, it'll be > called, and then crashes because of lack of resources. This patch > fixes it. > > Signed-off-by: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp> > --- > vl.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/vl.c b/vl.c > index ccc8d57..7ae69ab 100644 > --- a/vl.c > +++ b/vl.c > @@ -966,6 +966,8 @@ int qemu_set_fd_handler2(int fd, > QLIST_FOREACH(ioh, &io_handlers, next) { > if (ioh->fd == fd) { > ioh->deleted = 1; > + ioh->fd_read = NULL; > + ioh->fd_write = NULL; > break; > } > } > -- > 1.7.1.1 > > Good catch, thanks, Reviewed-by: Corentin Chary <corentincj@iksaif.net>
2010/8/23 Corentin Chary <corentin.chary@gmail.com>: > On Mon, Aug 23, 2010 at 2:55 AM, Yoshiaki Tamura > <tamura.yoshiaki@lab.ntt.co.jp> wrote: >> Currently qemu_set_fd_handler2() is only setting ioh->deleted upon >> deleting. This may cause a crash when a read handler calls >> qemu_set_fd_handler2() to delete handlers, but a write handler is >> still invoked from main_loop_wait(). Because main_loop_wait() checks >> handlers before calling, setting NULL upon deleting will protect >> handlers being called if already deleted. >> >> One example is the new threaded vnc server. When an error occurs in >> the context of a read handler, it'll releases resources and deletes >> handlers. However, because the write handler still exists, it'll be >> called, and then crashes because of lack of resources. This patch >> fixes it. >> >> Signed-off-by: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp> >> --- >> vl.c | 2 ++ >> 1 files changed, 2 insertions(+), 0 deletions(-) >> >> diff --git a/vl.c b/vl.c >> index ccc8d57..7ae69ab 100644 >> --- a/vl.c >> +++ b/vl.c >> @@ -966,6 +966,8 @@ int qemu_set_fd_handler2(int fd, >> QLIST_FOREACH(ioh, &io_handlers, next) { >> if (ioh->fd == fd) { >> ioh->deleted = 1; >> + ioh->fd_read = NULL; >> + ioh->fd_write = NULL; >> break; >> } >> } >> -- >> 1.7.1.1 >> >> > > Good catch, thanks, > > Reviewed-by: Corentin Chary <corentincj@iksaif.net> Ping? > > -- > Corentin Chary > http://xf.iksaif.net > >
diff --git a/vl.c b/vl.c index ccc8d57..7ae69ab 100644 --- a/vl.c +++ b/vl.c @@ -966,6 +966,8 @@ int qemu_set_fd_handler2(int fd, QLIST_FOREACH(ioh, &io_handlers, next) { if (ioh->fd == fd) { ioh->deleted = 1; + ioh->fd_read = NULL; + ioh->fd_write = NULL; break; } }
Currently qemu_set_fd_handler2() is only setting ioh->deleted upon deleting. This may cause a crash when a read handler calls qemu_set_fd_handler2() to delete handlers, but a write handler is still invoked from main_loop_wait(). Because main_loop_wait() checks handlers before calling, setting NULL upon deleting will protect handlers being called if already deleted. One example is the new threaded vnc server. When an error occurs in the context of a read handler, it'll releases resources and deletes handlers. However, because the write handler still exists, it'll be called, and then crashes because of lack of resources. This patch fixes it. Signed-off-by: Yoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp> --- vl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)