[pve-devel] [PATCH] fix another aio bug 0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch

Thu Jun 5 08:19:43 CEST 2014

Signed-off-by: Stefan Priebe <s.priebe at profihost.ag>
---
 ...ix-qemu_bh_schedule-bh-ctx-race-condition.patch |   55 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 2 files changed, 56 insertions(+)
 create mode 100644 debian/patches/0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch

diff --git a/debian/patches/0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch b/debian/patches/0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
new file mode 100644
index 0000000..a01765b
--- /dev/null
+++ b/debian/patches/0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
@@ -0,0 +1,55 @@
+From 4535f739edfdea392e381811963823bf05649e42 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha at redhat.com>
+Date: Tue, 3 Jun 2014 11:21:01 +0200
+Subject: [PATCH] aio: fix qemu_bh_schedule() bh->ctx race condition
+
+qemu_bh_schedule() is supposed to be thread-safe at least the first time
+it is called.  Unfortunately this is not quite true:
+
+  bh->scheduled = 1;
+  aio_notify(bh->ctx);
+
+Since another thread may run the BH callback once it has been scheduled,
+there is a race condition if the callback frees the BH before
+aio_notify(bh->ctx) has a chance to run.
+
+Reported-by: Stefan Priebe <s.priebe at profihost.ag>
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+Signed-off-by: Stefan Priebe <s.priebe at profihost.ag>
+---
+ async.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/async.c b/async.c
+index 6930185..5b6fe6b 100644
+--- a/async.c
++++ b/async.c
+@@ -117,15 +117,21 @@ void qemu_bh_schedule_idle(QEMUBH *bh)
+ 
+ void qemu_bh_schedule(QEMUBH *bh)
+ {
++    AioContext *ctx;
++
+     if (bh->scheduled)
+         return;
++    ctx = bh->ctx;
+     bh->idle = 0;
+-    /* Make sure that idle & any writes needed by the callback are done
+-     * before the locations are read in the aio_bh_poll.
++    /* Make sure that:
++     * 1. idle & any writes needed by the callback are done before the
++     *    locations are read in the aio_bh_poll.
++     * 2. ctx is loaded before scheduled is set and the callback has a chance
++     *    to execute.
+      */
+-    smp_wmb();
++    smp_mb();
+     bh->scheduled = 1;
+-    aio_notify(bh->ctx);
++    aio_notify(ctx);
+ }
+ 
+ 
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 3dc1c11..926211a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ internal-snapshot-async.patch
 disable-efi-enable-pxe-roms.patch
 backup-vma-allow-empty-backups.patch
 0001-aio-Fix-use-after-free-in-cancellation-path.patch
+0001-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch
-- 
1.7.10.4


